Support Center > Search Results > SecureKnowledge Details
IPS protection "Sequence Verifier" drops legitimate packets when SecureXL is enabled Technical Level
Symptoms
  • After enabling IPS protection "Sequence Verifier", SmartView Tracker logs show that legitimate packets are dropped (some TCP connections are not able to complete the initial handshake).

  • Traffic is dropped only when SecureXL is enabled.

  • When IPS profile is set to 'Detect-Only for Troubleshoot' mode, traffic is not dropped anymore.

  • Kernel debug during the issue ('fw ctl debug -m fw + drop conn vm packval tcpstr') shows:

    [-- Stateful VM inbound: Entering (...) --];
    ;Before VM: < IP_1:Port_1 - > IP_2:Port_2 IPP 6 > (len=...) TCP flags=0x... (FLAGS), seq=..., ack=..., data end=... (ifn=...) (first seen) ;
    ;fw_conn_inspect: Packet accepted (fast path);
    ;fwseqvalid_translate_verify: packet: ... ... ..., S:..., A:..., W:..., DE:...;
    ;fwseqvalid_translate_verify: database: ... ..., C2S: A:..., DE:a5dc73a1, W:..., S2C: A:..., DE:..., W:...;
    ;fwseqvalid_translate_verify: Invalid ACK dropped;
    ;fw_log_drop: Packet proto=6 IP_1:Port_1 - > IP_2:Port_2 dropped by fwseqvalid_translate_verify Reason: invalid ACK;
    ;fw_filter_chain: Sequence verifier action=VANISH;
    ;fw_filter_chain: Final switch, action=VANISH;
    ;After VM: < IP_1:Port_1 - > IP_2:Port_2 IPP 6 > (len=...) TCP flags=0x... (FLAGS), seq=..., ack=..., data end=... ;
    ;VM Final action=VANISH;
    ; ----- Stateful VM inbound Completed -----
    
  • SecureXL SIM debug during the issue ('sim dbg -m pkt + notif tcpstate tcpstatepkt seqvalid' , 'sim dbg -m mgr + seqvalid notif') shows:

    ;[SIM]do_outbound: forwarding packet to network (ifnum=...)...;
    ;[SIM]do_inbound: got packet 0x... on cpu N of <IP_1,Port_1,IP_2,Port_2,6>;
    ;[SIM]tcp_seqvalid_verify: cdir=s2c, state=0x60000, th_flags=0x..., seq=0x..., otherdir_seq=0x..., ack=0x..., otherdir_ack=0x...ourdir_seq=0x..., ourdir_ack=0x...;
    ;[SIM]tcp_seqvalid_verify: Established ACK mismtach (otherdir->ack=..., ack=..., otherdir->seq=...) -> forwarding to firewall;
    ;[SIM]simtcp_validate_tcp : TCP packet (th_flags=0x...) with invalid sequence information <IP_2,Port_2,IP_1,Port_1,6>-> forwarding to firewall;
    ;[SIM]do_inbound: Possible TCP state violation for <IP_1,Port_1,IP_2,Port_2,6> -> forwarding to firewall;
    ;fwconn_lookup_other_ex: conn <dir 0, IP_2:IP_2 -> IP_1:Port_1 IPP 6;...>
    found in connections table;
    ;fwseqvalid_local_set: Setting current parameters ...;
    
  • The issue is more likely to occur when Security Gateway is under medium or high load.

Cause

"Invalid ACK" means that Security Gateway detected an "ACK" on a packet that was never sent or a duplicate "ACK".

For every TCP flow, the SecureXL mechanism updates the database with Sequence and Acknowledge numbers. Specific flows can cause a race condition between SecureXL and Firewall mechanism. When such condition occurs, the SecureXL mechanism is not updating the database regarding the sequence number of the accelerated packet. The TCP reply packet will be dropped since it is acknowledging a packet that is presumably was not seen by the Firewall.


Solution
Note: To view this solution you need to Sign In .