Firewall is reporting a lot of out of state packets
search cancel

Firewall is reporting a lot of out of state packets

book

Article ID: 165747

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The firewall is reporting a lot of 'out of state' packets

Resolution

Firewalls are very strict when it comes to doing a proper 3-way handshake, and about closing sockets quickly after they are not needed anymore. This is because firewalls focus on security. The ProxySG appliance is focusing on performance so to save time, it will leave sockets open for a long time and re-use them when required.

The typical situation that will cause a firewall to reject packets from the ProxySG is the following

  • Proxy opens a socket to the internet and requests web objects through it. At this point, the firewall reports no problem
  • Proxy is done retrieving objects but keeps the TCP socket opened in case something else needs to be fetched from the same server
  • After some time, if the firewall sees no activity on that port, it will assume that the socket isn't used anymore and mark it as closed.
  • Proxy needs to request a new object from the same server and attempts to use the socket already opened
  • Firewall drops the connection and reports that the first packet in the sequence wasn't a SYN packet.

Both devices are working as intended here and this is not specifically a Proxy issue or a firewall issue, it's simply a setting that needs to be adjusted so that both the firewall and the ProxySG are setup for the same timeout value. The problem will also stop happening if the ProxySG's timeout value is lower than the firewall's.

In most cases, only server side persistency needs to be adjusted because the firewall generally sits between the proxy and the internet, not between the clients and the proxy. To adjust how long the ProxySG keeps sockets opened with servers, run the following command where <value> is the timeout (in seconds)

 

conf t

en

http persistent-timeout server <value>

 

Lowering the value will cause a slight performance decrease so it's best to adjust the firewall's timeout first. If that is not possible, then lowering the ProxySG's timeout is the only solution.