https://live.paloaltonetworks.com/t5/general-topics/lot-of-non-syn-tcp/m-p/366649#M88735 <P>Hello there!</P> <P>&nbsp;</P> <P>I think you explained the only 2 examples that I could think of.</P> <P>But I also do not think any keep-alive after the 3600 sec would keep a flow open, when the session itself is closed, the application/connection would drop.</P> <P>&nbsp;</P> <P>So are you saying that things are working fine, and you see a bunch of keep alives, or are you saying that the connection is dropped at the 1.5 hour mark, because there is no more session for the FW to inspect?</P> <P>&nbsp;</P> <P>Thanks</P> Tue, 01 Dec 2020 22:43:37 GMT S.Cantwell 2020-12-01T22:43:37Z https://live.paloaltonetworks.com/t5/general-topics/lot-of-non-syn-tcp/m-p/366586#M88727 <P>Hi Experts,</P><P>we have a lot (I mean a LOT :-)) of non-syn-tcp traffic on our PA5220 cluster. The PA is in an enterprise company.&nbsp;</P><P>&nbsp;</P><P>Are we sure that the non-syn-tcp means that there is an asymmetric flow? Let me give you an example:</P><P>&nbsp;</P><P>1) Host A sends a SYN to Host B passing through PA</P><P>2) PA recognize it properly and establish a sessione in its session table</P><P>3) Host B receive that SYN and start the standard comunication.</P><P>&nbsp;</P><P>Host A has its timeout idle session at 3 hours;</P><P>Host B has its timeout idle session at 3 hours;</P><P>Palo Alto has ita timeoute idle TCP session at 1 hour.</P><P>&nbsp;</P><P>After 1.5 hour the host A send a TCP Keep-Alive but on the PA the the session doesn't exist anymore... the timeout was expired.</P><P>So, that flow will be recognized as non-syn-tcp. But it is not an Asymmetric Flow.</P><P>&nbsp;</P><P>Anyway, do you know if there is some other situation where the non-syn-tcp not mean Asymmetric Routing?</P><P>&nbsp;</P><P>Bye!</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 01 Dec 2020 17:23:18 GMT https://live.paloaltonetworks.com/t5/general-topics/lot-of-non-syn-tcp/m-p/366586#M88727 paboy1 2020-12-01T17:23:18Z https://live.paloaltonetworks.com/t5/general-topics/lot-of-non-syn-tcp/m-p/366649#M88735 <P>Hello there!</P> <P>&nbsp;</P> <P>I think you explained the only 2 examples that I could think of.</P> <P>But I also do not think any keep-alive after the 3600 sec would keep a flow open, when the session itself is closed, the application/connection would drop.</P> <P>&nbsp;</P> <P>So are you saying that things are working fine, and you see a bunch of keep alives, or are you saying that the connection is dropped at the 1.5 hour mark, because there is no more session for the FW to inspect?</P> <P>&nbsp;</P> <P>Thanks</P> Tue, 01 Dec 2020 22:43:37 GMT https://live.paloaltonetworks.com/t5/general-topics/lot-of-non-syn-tcp/m-p/366649#M88735 S.Cantwell 2020-12-01T22:43:37Z https://live.paloaltonetworks.com/t5/general-topics/lot-of-non-syn-tcp/m-p/366667#M88739 <P>Well non-syn-tcp means the firewall is receiving 'first' packets (ones that don't belong to an existing flow) that are not SYN, so there has not been a proper TCP handshake</P><P>&nbsp;</P><P>this does not mean traffic is asymmetrical, asymmetric routing is just one of the more common causes that the firewall is receiving ACK packets where no session exists</P><P>&nbsp;</P><P>In your further example this is highlighted: session is torn down before either side is actually done talking, causing the firewall to receive an ACK packet for a non-existent session</P><P>This can be solved by editing the application and increasing the lifetime and idle timers to correspond with the expected time between keepalives</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 01 Dec 2020 23:51:07 GMT https://live.paloaltonetworks.com/t5/general-topics/lot-of-non-syn-tcp/m-p/366667#M88739 reaper 2020-12-01T23:51:07Z