Support Center > Search Results > SecureKnowledge Details
TCP traffic with ECN-setup SYN packets is dropped without logs
Symptoms
  • TCP traffic is silently being dropped by the Security Gateway.

  • Kernel debug shows the drop occurs on the explicit rule that allows this traffic.

  • The TCP connection has the Explicit Congestion Notification (ECN) flag set (ECN-setup SYN).
Cause

Client sends CWR + ECE + SYN, which is a valid combination of TCP flags according to RFC3168 (this is referred to as a "ECN-setup SYN packet" in Section 6.1.1)

When Check Point Active Streaming (CPAS) technology in Security Gateway detects such a new TCP connection, in which the SYN flag is not set, it determines that such a connection cannot be processed. CPAS kernel debug (fw ctl debug -m CPAS + api) shows:
cpas_newconn : called upon something other than tcp SYN. Aborting


Solution
Note: To view this solution you need to Sign In .