One of the main features of Check Point Firewalls is stateful inspection. A packet will typically be dropped ‘out-of-state’ when a non-SYN packet arriving within inspect does not match an existing ESTABLISHED connection.

In a nutshell, when a session is opened (SYN) it has by default around 25 seconds after receiving this SYN packet to finish the 3-Way handshakes to open the connection (SYN, SYN-ACK, ACK).

After the connection is open the TCP session timeout is default 3600 seconds (1 hour) where after this timeout expires the session will be automatically removed from the connection table.

Regardless if a session is terminated by an RST or FIN packet, or it naturally times out, all connections have a default 20 seconds ‘End Timeout’ to allow trailing FIN / FIN-ACK packets to be received.

In some of the cases, we can see clearly that some of these ‘trailing’ FIN-ACK packets arrived to the firewall AFTER the ‘End Timeout’ expired.

The typical cause for this is not necessarily always asymmetric routing, rather the application sending the FIN packet may be not RFC compliant or there is something at the application/networking level causing this packet to be latent and arrive after session timeout.

A workaround for this is to increase the “TCP end timeout” via global properties within the SmartConsole under the section “Stateful Inspection” and push policy.

During the issue, you can also collect traffic capture using the below syntax to prove we’re not getting syn packet but RST-ASK.

#tcpdump -nni any -s 0 host x.x.x.x -w pacp.pcap

Leave a Reply

Your email address will not be published. Required fields are marked *