Support Center > Search Results > SecureKnowledge Details
TCP traffic with undefined tcp option is dropped as "tcp out of state" when SecureXL is enabled Technical Level
Symptoms
  • TCP traffic with undefined tcp option is dropped as "tcp out of state" when SecureXL is enabled.

  • Kernel debug (fw ctl zdebug + drop) shows the following packet drops:
    [DATE TIME];[kern];[tid_0];[SIM-206609312];update_tcp_state: invalid state detected (current state: 0x10000, th_flags=0x14, cdir=1) -> dropping packet, conn: [][PPK0]; [DATE TIME];[kern];[tid_0];[SIM-206609312];do_inbound: Possible TCP state violation for -> dropping packet ; [DATE TIME];[kern];[tid_0];[SIM-206609312];do_packet_finish: SIMPKT_IN_DROP vsid=10, conn:;

  • Packet capture shows "Unknown TCP Option" in pcap, for example:

    Frame 2: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
    Ethernet II, Src: CheckPoi_3b:xx:xx (00:1c:7f:3b:xx:xx), Dst: All-HSRP-routers_14 (00:00:0c:07:xx:xx)
    Internet Protocol Version 4, Src: xxx.xxx.196.148, Dst: yyy.yyy.114.12
    Transmission Control Protocol, Src Port: 22, Dst Port: 50236, Seq: 0, Ack: 1, Len: 0
        Source Port: 22
        Destination Port: 50236
        [Stream index: 0]
        [TCP Segment Len: 0]
        Sequence number: 0    (relative sequence number)
        [Next sequence number: 0    (relative sequence number)]
        Acknowledgment number: 1    (relative ack number)
        0111 .... = Header Length: 28 bytes (7)
        Flags: 0x012 (SYN, ACK)
        Window size value: 4128
        [Calculated window size: 4128]
        Checksum: 0x20c4 [unverified]
        [Checksum Status: Unverified]
        Urgent pointer: 0
        Options: (8 bytes), Maximum segment size
            TCP Option - Maximum segment size: 536 bytes
            Unknown (0x87) (option length = 129 bytes says option goes past end of options)
                [Expert Info (Note/Sequence): Unknown (0x87) (option length = 129 bytes says option goes past end of options)]
        [SEQ/ACK analysis]
        [Timestamps]

  • Following sk147093 does not resolve the issue.

Cause

Based on RFC 1122 Section 4.2.2.5 TCP packet with undefined/unknown TCP option must be ignored, and the connection should be dropped/reset, thus SecureXL is dropping the connection.

For TCP Options, refer to https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml


Solution
Note: To view this solution you need to Sign In .