App id “Non-syn-tcp”

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

App id “Non-syn-tcp”

L2 Linker
I see a lot of non- syn-tcp from from few specific zone. I am sure that there is no asymmetric routing. If that has to be the case how to determine exact causing factor.

Thanks
3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

Look at the source/destination. Hopefully that will give you insight. I know my external interface gets then when people are probing for weak spots, etc.

 

Hope that helps.

That would definitely help if its basically  comming from an untrusted/external internet facing interafce but the problem here is its comming from trusted direct connect link.  In addition this traffic is being dropped due to non -syn tcp so had to allow non-syn tcp for this specific zone. which is a serious security concern.

At the end we are still puzzled why is there non-syn -tcp traffic in the first place?
Any thoughts are welcome

thanks

It can only be asymmetric routing or someone deliberately probing your network.

If you had to allow this in order to get your deisred connections to work then it's definitelly some asymetry in your network.

 

To debug: find a TCP connection (source and destination IP addresses, source and destination port). Let's say 1.1.1.1:43500 -> 2.2.2.2:443 (https).

Check the logs for SYN packet: source 1.1.1.1, dst 2.2.2.2, dst port 443. Now check ingress and egress interface for this.

Then check the logs for SYN-ACK packet; src.port 443, dst.port 43500, dst 1.1.1.1. Now check ingress and egress interface for this.

 

That should give you a clear picture of packet flow and prove the asymmetric routing. 

  • 5459 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!