tcp syn checking failed

Robert_VilhelmsenRobert_Vilhelmsen
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

FireboxV 12.10.4 U1

I have a policy allowing 3389/tcp from sslvpn to a internal server.
RDP connection was up and user was working through the rdp connection. At 20:00:01 the firewall logged 2 (two) tcp syn checking failed on a ACK packet and right after a AllowEnd on the same traffic.
Guess this can happen due to many thinks so i am not worried, but i do not understand why the firewall afterwords keeps denying 3389/tcp traffic as Unhandled-External-Packet-00

Could this be duo to routing issues between endpoints? Missing data packets?

2024-09-10 19:34:22 FWAllow, Allowed, pri=6, disp=Allow, policy=Bredana-RDP-IN-00, protocol=rdp/tcp, src_ip=192.168.115.2, src_port=62542, dst_ip=INTERNAL-IP, dst_port=3389, src_intf=0-SSL-VPN, dst_intf=Internal Network, rc=100, pckt_len=52, ttl=127, pr_info=offset 8 S 4290397392 win 61690, src_user=SSLVPN-USER@AuthPoint, 3000-0148
2024-09-10 19:34:30 FWDeny, Denied, pri=4, disp=Deny, policy=Unhandled-External-Packet-00, protocol=3389/udp, src_ip=192.168.115.2, src_port=57930, dst_ip=INTERNAL-IP, dst_port=3389, src_intf=0-SSL-VPN, dst_intf=Internal Network, rc=101, pckt_len=1260, ttl=127, duration=0; sent_bytes=1260; rcvd_bytes=0, src_user=SSLVPN-USER@AuthPoint, 3000-0148
2024-09-10 19:34:37 FWAllow, Allowed, pri=6, disp=Allow, policy=Bredana-RDP-IN-00, protocol=rdp/tcp, src_ip=192.168.115.2, src_port=62546, dst_ip=INTERNAL-IP, dst_port=3389, src_intf=0-SSL-VPN, dst_intf=Internal Network, rc=100, pckt_len=52, ttl=127, pr_info=offset 8 S 1708745539 win 61690, src_user=SSLVPN-USER@AuthPoint, 3000-0148
2024-09-10 19:34:38 FWDeny, Denied, pri=4, disp=Deny, policy=Unhandled-External-Packet-00, protocol=3389/udp, src_ip=192.168.115.2, src_port=57931, dst_ip=INTERNAL-IP, dst_port=3389, src_intf=0-SSL-VPN, dst_intf=Internal Network, rc=101, pckt_len=1260, ttl=127, duration=0; sent_bytes=1260; rcvd_bytes=0, src_user=SSLVPN-USER@AuthPoint, 3000-0148
2024-09-10 19:34:53 FWAllowEnd, Allowed, pri=6, disp=Allow, policy=Bredana-RDP-IN-00, protocol=rdp/tcp, src_ip=192.168.115.2, src_port=62542, dst_ip=INTERNAL-IP, dst_port=3389, src_intf=0-SSL-VPN, dst_intf=Internal Network, rc=106, duration=31; sent_bytes=41143; rcvd_bytes=181501, src_user=SSLVPN-USER@AuthPoint, 3000-0151
2024-09-10 20:00:01 FWDeny, tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead)., pri=4, disp=Deny, policy=Internal-Policy, protocol=rdp/tcp, src_ip=192.168.115.2, src_port=62546, dst_ip=INTERNAL-IP, dst_port=3389, src_intf=0-SSL-VPN, dst_intf=Firebox, rc=101, pckt_len=83, ttl=128, pr_info=offset 5 A 171737155 win 65283, duration=0; sent_bytes=83; rcvd_bytes=0, src_user=SSLVPN-USER@AuthPoint, 3000-0148
2024-09-10 20:00:01 FWDeny, tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead)., pri=4, disp=Deny, policy=Internal-Policy, protocol=rdp/tcp, src_ip=192.168.115.2, src_port=62546, dst_ip=INTERNAL-IP, dst_port=3389, src_intf=0-SSL-VPN, dst_intf=Firebox, rc=101, pckt_len=83, ttl=128, pr_info=offset 5 A 3745218627 win 65283, duration=0; sent_bytes=83; rcvd_bytes=0, src_user=SSLVPN-USER@AuthPoint, 3000-0148
2024-09-10 20:00:01 FWAllowEnd, Allowed, pri=6, disp=Allow, policy=Bredana-RDP-IN-00, protocol=rdp/tcp, src_ip=192.168.115.2, src_port=62546, dst_ip=INTERNAL-IP, dst_port=3389, src_intf=0-SSL-VPN, dst_intf=Internal Network, rc=106, duration=1524; sent_bytes=3654986; rcvd_bytes=11875413, src_user=SSLVPN-USER@AuthPoint, 3000-0151
2024-09-10 20:00:32 FWDeny, Denied, pri=4, disp=Deny, policy=Unhandled-External-Packet-00, protocol=rdp/tcp, src_ip=192.168.115.2, src_port=63136, dst_ip=INTERNAL-IP, dst_port=3389, src_intf=0-SSL-VPN, dst_intf=Internal Network, rc=101, pckt_len=52, ttl=127, pr_info=offset 8 S 3680594825 win 61690, duration=0; sent_bytes=52; rcvd_bytes=0, src_user=SSLVPN-USER@AuthPoint, 3000-0148
2024-09-10 20:07:41 FWDeny, Denied, pri=4, disp=Deny, policy=Unhandled-External-Packet-00, protocol=rdp/tcp, src_ip=192.168.115.2, src_port=63388, dst_ip=INTERNAL-IP, dst_port=3389, src_intf=0-SSL-VPN, dst_intf=Internal Network, rc=101, pckt_len=52, ttl=127, pr_info=offset 8 S 1800610303 win 61690, duration=0; sent_bytes=52; rcvd_bytes=0, src_user=SSLVPN-USER@AuthPoint, 3000-0148
2024-09-10 20:09:09 FWDeny, Denied, pri=4, disp=Deny, policy=Unhandled-External-Packet-00, protocol=rdp/tcp, src_ip=192.168.115.2, src_port=63446, dst_ip=INTERNAL-IP, dst_port=3389,

/Robert

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Robert_Vilhelmsen
    Without seeing your firewall config, I'm not going to be able to parse thru this and determine why this might be going unhandled.

    Please open a support case so that we can look into this with you.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.