SYN ACK RST Loop on inside and SYN ACK only - source port re-use - hung session

Showing results for 
Show  only  | Search instead for 
Did you mean: 

SYN ACK RST Loop on inside and SYN ACK only - source port re-use - hung session

L1 Bithead

I have had this happen twice so far, I am wondering how others have solved for it.


Host A -> Palo Alto -> Host B


Host A, cycles through its source ports frequently - every couple of minutes.

Host B has long  or no TCP keep alive timers.


Host A:src port X connects to Host B on port 443.

Host A has an issue, reboots, lost power, app crashes, etc.  But it does NOT close the session.  Host B shows the connection in the netstat.  


Host A:src port X tries to connect to host B on port 443.  Host B responds with an ACK, this is per RFC.  That ACK is passed back to host A, Host A responds to the ACK with a RST.  The firewall drops the reset, and the connection is stuck.  Every time the host cycles through that source port it never clears.


Looking on the firewall on the A side, all I see is

Syn ->

<- ACK


For like 6 tries from the host on this source port, then is moves on until it gets back around to this port and it does it again and again.  No way to clear it.


On the B side, I see this

Syn ->

<- ACK

No reset, the firewall is eating the reset.


I tried putting a deny rule in with reset in both directions, but it only resets on the A side.

Clearing the session in the session table does not work.


I have tried to spoof reset packets and they are not getting through the firewall.


The only thing I have been able to do is have the server guy either clear the session or reboot it if they dont have the capabliity to clear a stale session.  Ask them to turn on keepalives to try to prevent, but this does not seem right.  


This site shows exactly what is happening.


So, I am reaching out to the Live forum for help. 


Is there a way to generate a reset from the palo alto in this scenerio (an hping3 type command?)

Is there a way to allow that reset from host A through the firewall (maybe turn off state inspection).  Can you turn off state inspection for just one src/dst pair?




This post is gold.

I run into this exact same issue a few weeks ago.  There is a very good read on this:



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!