'TCP Out of State' error messages on IPSO Clustering or IPSO VRRP cluster
Error Message: TCP packet out of state - first packet isn't SYN tcp_flags: FIN-ACK TCP packet out of state - first packet isn't SYN tcp_flags: FINPUSH-ACK
This message occurs when a FIN packet is retransmitted after deleting the connection from the Connections table.
To solve this problem, go to SmartDashboard -> Policy menu -> Global Properties -> Stateful Inspection - increase the '
TCP end timeout' from 20 seconds (default) to 60 seconds. If necessary, also increase the number of maximum concurrent connections to prevent the Connections table from filling up (SmartDashboard -> Cluster object properties -> Capacity Optimization).
In addition, refer to sk39777 - IP Platforms Best Practices for Performance.
Error Message: SYN packet for established connection
This message occurs when a SYN packet is received on an established connection, and the TCP Sequence Verifier is turned off. The TCP Sequence Verifier is turned off for a non-sticky connection in a cluster environment and is not supported with a cluster object. Refer to sk38721 - Error Message "Flows: Tcp Sequence Verifier acceleration not supported on the gateway" when installing policy.
Follow sk15984 - TCP connections fail to open through Security Gateway under traffic load due to port re-use.
Error Message: ICMP Out of State Errors
Refer to sk40575 - How to enable ICMP Redirects on IPSO.
Imported from Nokia support database