Firebox tcp syn checking failed

Hi
at some point a simple rule "allow network1 connect to network2" stopped working. I get messages like " Firebox tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead). 234 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 8 A 1233946425 win 11040"
Any idea where to look?
Many thanks

Comments

  • Review this:
    What does the log message "tcp syn checking failed" mean?
    https://watchguardsupport.secure.force.com/publicKB?type=Article&SFDCID=kA10H000000g3XISAY&lang=en_US

    If this issue persists, you can unselect "Enable TCP SYN packet and connection state verification" in the Global Settings -> Network.
    Doing so should not hurt anything.

  • edited December 2019

    that did the trick but i still can connect to server only from same network, for others i get "Server isn't responding" and occasionally "tcp invalid connection state" in firebox

  • Dual paths to the server via 2 different firewall interfaces ?

  • sorry, i didn't get it. i have interface 172.16.5.XX and 192.168.0.XX and a rule that allows 443 and 80 ports to go from first to second

  • oh, no, it looks like the server itself is down)

  • edited December 2019

    Some people have 2 Ethernet NICs on their server and have 1 NIC connected to 1 firewall interface and 1 to another firewall interface, which can cause all sorts of issues, possible including TCP SYN issues.

    If the packets are being allowed to the server, then you need to look at the server to see if there is a software firewall or something else which is preventing reply packets from returning.

    You can turn on Logging on your policy to see packets allowed by it in Traffic Monitor.

  • Look closely at the destination interface of those "tcp invalid connection state" messages. I believe after installing Fireware 12.5.1, I started getting TONS of them from different devices, ALL pointing to "dest_intf=Firebox" as the destination, even though they have explicit rules pointing them to certain IP addresses. Those rules work fine, but over and over again, these "tcp invalid connection state" messages come up, clogging my FSM traffic monitor screen with frivolous garbage messages. Sometimes they come from external IP addresses, but it's always to the same "dest_intf=Firebox" target.

    SO ANNOYING.

    Gregg Hill

  • It was indeed second NIC which gave the problem& Thank you, Bruce_Briggs

Sign In to comment.