App id “Non-syn-tcp”

Reply
L2 Linker

App id “Non-syn-tcp”

I see a lot of non- syn-tcp from from few specific zone. I am sure that there is no asymmetric routing. If that has to be the case how to determine exact causing factor.

Thanks
L7 Applicator

Re: App id “Non-syn-tcp”

Hello,

Look at the source/destination. Hopefully that will give you insight. I know my external interface gets then when people are probing for weak spots, etc.

 

Hope that helps.

L2 Linker

Re: App id “Non-syn-tcp”

That would definitely help if its basically  comming from an untrusted/external internet facing interafce but the problem here is its comming from trusted direct connect link.  In addition this traffic is being dropped due to non -syn tcp so had to allow non-syn tcp for this specific zone. which is a serious security concern.

At the end we are still puzzled why is there non-syn -tcp traffic in the first place?
Any thoughts are welcome

thanks

Highlighted
L5 Sessionator

Re: App id “Non-syn-tcp”

It can only be asymmetric routing or someone deliberately probing your network.

If you had to allow this in order to get your deisred connections to work then it's definitelly some asymetry in your network.

 

To debug: find a TCP connection (source and destination IP addresses, source and destination port). Let's say 1.1.1.1:43500 -> 2.2.2.2:443 (https).

Check the logs for SYN packet: source 1.1.1.1, dst 2.2.2.2, dst port 443. Now check ingress and egress interface for this.

Then check the logs for SYN-ACK packet; src.port 443, dst.port 43500, dst 1.1.1.1. Now check ingress and egress interface for this.

 

That should give you a clear picture of packet flow and prove the asymmetric routing. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!