Respond to Not a Valid SYN Packet log messages
Logs that contain “Not a Valid SYN Packet” messages indicate that packets were discarded due to connection tracking.
Problem description: The “Not a Valid SYN Packet” message appears in logs with entries on discarded packets.
Reason: “Not a Valid SYN Packet” is a TCP packet that is not the first packet of a TCP connection (the packet does not have the SYN flag set), but is not part of an existing connection either (there is no connection tracking entry on the Firewall matching this packet). The policy would allow this packet if the packet was part of an existing tracked connection.
The message usually also contains a code inside square brackets that indicates the flags set in the discarded packet (A=Ack, F=FIN, R=RST, P=Push, S=SYN).
Some examples of situations, where “Not a Valid SYN packet” messages can be seen:
- Asymmetric routing, which means that the opening packet does not go through the Firewall, but the reply (the SYN/ACK) does. Asymmetric routing can indicate that there is a configuration error in the routing of the surrounding network that must be fixed.
- Connections that are idle for more than the defined connection timeout (connection has been erased from the Firewall records). If necessary, you can increase the timeout.
- Connections that have been made to look like TCP connections even though they are not. If necessary, you can allow these connections as individual packets without connection tracking.
- Network scans or attacks that use ACK packets.
- Heavily loaded server or client that sends a packet after the host at the other end of the connection has already timed out and closed the connection.
It is normal to see some messages like this in the logs. If a certain type of communication that you want to allow is always prevented because of connection tracking, check these troubleshooting steps.