topic App id “Non-syn-tcp” in General Topics

App id “Non-syn-tcp”

Sanssj — Fri, 05 Oct 2018 13:27:46 GMT

I see a lot of non- syn-tcp from from few specific zone. I am sure that there is no asymmetric routing. If that has to be the case how to determine exact causing factor.

Thanks

Re: App id “Non-syn-tcp”

OtakarKlier — Fri, 05 Oct 2018 13:52:59 GMT

Hello,

Look at the source/destination. Hopefully that will give you insight. I know my external interface gets then when people are probing for weak spots, etc.

Hope that helps.

Re: App id “Non-syn-tcp”

Sanssj — Fri, 02 Nov 2018 02:44:56 GMT

That would definitely help if its basically comming from an untrusted/external internet facing interafce but the problem here is its comming from trusted direct connect link. In addition this traffic is being dropped due to non -syn tcp so had to allow non-syn tcp for this specific zone. which is a serious security concern.

At the end we are still puzzled why is there non-syn -tcp traffic in the first place?
Any thoughts are welcome

thanks

Re: App id “Non-syn-tcp”

santonic — Fri, 02 Nov 2018 09:37:47 GMT

It can only be asymmetric routing or someone deliberately probing your network.

If you had to allow this in order to get your deisred connections to work then it's definitelly some asymetry in your network.

To debug: find a TCP connection (source and destination IP addresses, source and destination port). Let's say 1.1.1.1:43500 -> 2.2.2.2:443 (https).

Check the logs for SYN packet: source 1.1.1.1, dst 2.2.2.2, dst port 443. Now check ingress and egress interface for this.

Then check the logs for SYN-ACK packet; src.port 443, dst.port 43500, dst 1.1.1.1. Now check ingress and egress interface for this.

That should give you a clear picture of packet flow and prove the asymmetric routing.