TCP packet out of state: First packet isn't SYN tcp_flags: SYN-ACK

Advanced search

[rockysam39]

I have been getting a lot of dropped packets which are not getting dropped by any rule, but the Information states - "TCP packet out of state: First packet isn't SYN tcp_flags: SYN-ACK".

I searched on various other Forums where it says - "allow such packets to go through (and thus reduce your security level) go to Global Properties, Stateful Inspection and then remove the tick mark next to "Drop out of state TCP packets", install the policy."

Can this be done?
What are the security risk involved if this is done?
N.B.:- We are running  a Resilience Ndurant 20 Box.

I would really appreiciate if anyone can advise.

[juve]

Are the drops on one specific service or on all services? Sometimes increasing the session timeout is also a solution to the drops.

You can also add an entry to the user.def that will allow out of state packets
for one service. This way you don't need to enable it in the general propoerties

example :

deffunc user_accept_non_syn() {
( /* allow only non-http connections to start with a non-SYN packet */
(dport!=80, sport!=80) or 0
)
};

Off course you can replace 80 with another service.

• Articles
• Knowledge base