Support Center > Search Results > SecureKnowledge Details
'TCP Out of State' error messages on IPSO Clustering or IPSO VRRP cluster
Symptoms
  • Various TCP packet out-of-state logs in SmartView Tracker when the synchronization mechanism is under load in IPSO Clustering or IPSO VRRP cluster.
Solution

Error Message: TCP packet out of state - first packet isn't SYN tcp_flags: FIN-ACK TCP packet out of state - first packet isn't SYN tcp_flags: FINPUSH-ACK

This message occurs when a FIN packet is retransmitted after deleting the connection from the Connections table.

To solve this problem, go to SmartDashboard -> Policy menu -> Global Properties -> Stateful Inspection - increase the 'TCP end timeout' from 20 seconds (default) to 60 seconds. If necessary, also increase the number of maximum concurrent connections to prevent the Connections table from filling up (SmartDashboard -> Cluster object properties -> Capacity Optimization).

In addition, refer to sk39777 - IP Platforms Best Practices for Performance.

 

Error Message: SYN packet for established connection

This message occurs when a SYN packet is received on an established connection, and the TCP Sequence Verifier is turned off. The TCP Sequence Verifier is turned off for a non-sticky connection in a cluster environment and is not supported with a cluster object. Refer to sk38721 - Error Message "Flows: Tcp Sequence Verifier acceleration not supported on the gateway" when installing policy.

Follow sk15984 - TCP connections fail to open through Security Gateway under traffic load due to port re-use.

 

Error Message: ICMP Out of State Errors

Refer to sk40575 - How to enable ICMP Redirects on IPSO.

Imported from Nokia support database

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment