Welcome to ISAserver.org

A bunch of non-SYN packet drops

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> A bunch of non-SYN packet drops

Page: [1]

Message

<< Older Topic Newer Topic >>

A bunch of non-SYN packet drops - 20.Aug.2012 12:19:47 PM

savvento

Posts: 8
Joined: 20.Oct.2011
Status: offline

I'm noticing a lot of non-SYN packet drops on my TMG. It looks like users are making connections from internal to external websites. When the connection is ending the user logs out of the site and closes the browser. The internal box sends a FIN to the external site. The TMG passes the FIN and closes the connection, but the external site responds with a FIN ACK. This FIN ACK is being seen by the TMG and blocked as "A non-SYN packet" (Even though it was in fact part of a legit connection). This causes the website to re-transmit the FIN ACK continously...approximately 60,000 in an hour from one external site (Awesome!).

This behaviour seems to happen when users try to log in to an external HTTPS site. Do anyone have any insite as to what might be going on or how to fix the issue?

Post #: 1

Featured Links*

RE: A bunch of non-SYN packet drops - 22.Aug.2012 4:36:48 PM

fadedcrimson

Posts: 4
Joined: 22.Aug.2012
Status: offline

It sounds like a problem with the website. There shouldn't be any reason for the website to continually retransmit the FIN ACK unless the TCP stream is seeing it as a missing packet and is continuing to retransmit the packet.

Then again though even if it was causing the packet to be retransmitted it should stop trying to retransmit the packet and drop the connection eventually. Or is the 60,000 number happening because of continual logoffs from users and not just a single connection?

(in reply to savvento)

Post #: 2

RE: A bunch of non-SYN packet drops - 23.Aug.2012 6:30:53 AM

savvento

Posts: 8
Joined: 20.Oct.2011
Status: offline

There are about 10 users that use that site from within the network. So it can't be from continual logoffs.

I think there is an issue with the website but the TMG still shouldn't close the session until the TCP connection closes correctly.

Thanks for your response.

(in reply to fadedcrimson)

Post #: 3

RE: A bunch of non-SYN packet drops - 23.Aug.2012 8:57:28 AM

fadedcrimson

Posts: 4
Joined: 22.Aug.2012
Status: offline

Have you thought about installing Wireshark and see if you can trace what is happening to the TCP connection?

The way TMG is acting is that it doesn't see the FIN ACK as part of the TCP connection and it dropping it due to probably thinking that its a FIN scan.

Does this happen with any other websites or just this one in particular?

(in reply to savvento)

Post #: 4