• Alerts
  • TCP packet out of state

TCP packet out of state

Alert Headline:

TCP packets dropped due to “out of state” error

Description:

Some TCP packets, and therefore connections, are being dropped due to an invalid state. In the firewall logs these appear as “TCP packet out of state”. The list of affected connections is below. The firewall keeps a state table that is used to ensure TCP connections are tracked from beginning (SYN) to end. It is possible for a connection that used to appear in that table to no longer appear in it.

Indeni will re-check this alert every 1 minute. If indeni will determine the issue has been resolved it will automatically be flagged as such.

Affected TCP Connections:

  • src: 192.168.10.14 dst: 10.3.1.81, service: (TCP 22)
  • src: 192.168.10.10 dst: 10.3.1.81, service: (TCP 5000)
  • src: 10.3.1.81 dst: 10.3.1.75, service: (TCP 41983)
  • src: 192.168.10.10 dst: 10.3.1.81, service: (TCP 443)
  • src: 192.168.10.10 dst: 10.3.1.81, service: (TCP 22)
  • src: 10.3.1.81 dst: 10.3.1.75, service: (TCP 36931)
  • src: 10.3.1.81 dst: 10.3.1.75, service: (TCP 33356)

Manual Remediation Steps:
There are multiple known causes:

  • Asymmetric routing: one direction of the connection is flowing through this firewall and another through a different firewall (not part of the same cluster).
  • The connection does not comply with the TCP standard or an attack is being attempted.
  • The connection was inactive for more than the TCP idle connection timeout (default 3600 seconds for Check Point firewalls). To resolve this, you may increase the TCP connection timeout. A better solution, however, would be to contact the developers of the application using the connection and have them implement a keep-alive in the connection to avoid a timeout. This latter option will ensure the application is in better compliance with complex network equipment and would help avoid increasing the TCP connection timeout which may result in the connection table filling up. Aggressive aging is removing TCP connections.

BlueCat to acquire LiveAction

BlueCat adds LiveAction’s network observability and intelligence platform, which helps large enterprises optimize the performance, resiliency, and security of their networks.