https://live.paloaltonetworks.com/t5/general-topics/palo-alto-deny-all-policy-reason-non-syn-tcp/m-p/133396#M47209 <P>Hi,</P><P>&nbsp;</P><P>We realised our PA in version 7.0.6 is having any issue with the traffic. We see many traffic being dropped by DENY all rule (the last rule in the rule set). Looking in application we see "non-syn-tcp" in all the connections.&nbsp;</P><P>&nbsp;</P><P>These denies connections always ocurrs each 30 minutes. For example: 4.01pm, 4.31pm, 5<SPAN>.01pm, 5.31pm.</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="logs.JPG" style="width: 396px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/6953i8749BF167ECD2D88/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="logs.JPG" alt="logs.JPG" /></span></P><P>&nbsp;</P><P>we have disabled tcp syn reject in global, but its configured in zones too. why is happening this???? its quite weird each 30 minutes we see these denies.</P> Sun, 18 Dec 2016 17:46:14 GMT soporteseguridad 2016-12-18T17:46:14Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-deny-all-policy-reason-non-syn-tcp/m-p/133396#M47209 <P>Hi,</P><P>&nbsp;</P><P>We realised our PA in version 7.0.6 is having any issue with the traffic. We see many traffic being dropped by DENY all rule (the last rule in the rule set). Looking in application we see "non-syn-tcp" in all the connections.&nbsp;</P><P>&nbsp;</P><P>These denies connections always ocurrs each 30 minutes. For example: 4.01pm, 4.31pm, 5<SPAN>.01pm, 5.31pm.</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="logs.JPG" style="width: 396px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/6953i8749BF167ECD2D88/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="logs.JPG" alt="logs.JPG" /></span></P><P>&nbsp;</P><P>we have disabled tcp syn reject in global, but its configured in zones too. why is happening this???? its quite weird each 30 minutes we see these denies.</P> Sun, 18 Dec 2016 17:46:14 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-deny-all-policy-reason-non-syn-tcp/m-p/133396#M47209 soporteseguridad 2016-12-18T17:46:14Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-deny-all-policy-reason-non-syn-tcp/m-p/133406#M47212 A non-syn-tcp drop occurs when a packet is received that is not a syn and also does not match an existing session (since a syn would start a new session)<BR /><BR />This is most commonly caused my asymmetric traffic where client-server packets follow a different route than the server-client packets<BR /><BR />So you will want to find the reason for these flows and try to fix them as this is not a firewall issue<BR />There may be a need for U-turn NAT <A href="https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Configure-U-Turn-NAT/ta-p/65081" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Configure-U-Turn-NAT/ta-p/65081</A> Sun, 18 Dec 2016 21:24:33 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-deny-all-policy-reason-non-syn-tcp/m-p/133406#M47212 reaper 2016-12-18T21:24:33Z