Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Session opened on the client and the server is sending non-syn packets causing the firewall to drop packets due to no existing sessions

0

0

Article ID: KB21981 KB Last Updated: 13 Jun 2013Version: 2.0
Summary:
This article describes the issue of the firewall dropping packets due to no existing sessions; this is due to the session being open on the client and the server sending non-syn packets.
Symptoms:
A customer is complaining that he is not able to connect to the server using a application. Running a debug, we see that the firewall is receiving non-syn data packets and these packets are getting dropped due to 'no existing session found and stating that packet have been dropped; first pak not sync'.

Disabling TCP SYN check and sequence check resolves the issue.

This can occur in the following scenarios:
  1. When we manually clear the session from the firewall, the application and server are not aware that the session has been closed. They keep on re-transmitting data packets.

  2. When the timeout value for different protocols is different in the client server and firewall. For example, the protocol timeout value for TCP is set to 1 hour; but the firewall, following RFC, only maintains it for 30 minutes. After 30 minutes of idle timeout, the firewall will close the session. But the client or server may transmit data packets as the session on the client and server is still open.

Cause:

Solution:
Make sure the set zone zone_name tcp-rst command is enabled, so that when the firewall is receiving a non-syn packet for the non-existing session, the device drops the segment, notifies the initiator to reset the TCP connection, and does not create a new session (If the device does not send a RESET notice, the initiator repeatedly sends the same TCP segment until the connection attempt times out.). Alternatively, we need to clear the session manually on the client and server.




Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search