A customer calls saying that a Load Sharing cluster shows drops with the error First packet is not
SYN. Complete the following sentence. You will recommend:
A.
turning off SDF (Sticky Decision Function).
B.
switch to Multicast Mode.
C.
turning on SDF (Sticky Decision Function).
D.
configuring flush and ack.
C
https://sc1.checkpoint.com/documents/R77/CP_R77_ClusterXL_WebAdminGuide/7298.htm
TCP Out-of-State Error Messages
When the synchronization mechanism is under load, TCP packet out-of-state error messages may appear in the Information column of SmartView Tracker. This section explains how to resolve each error.
*. TCP packet out of state – first packet isn’t SYN tcp_flags: FIN-ACK
TCP packet out of state – first packet isn’t SYN tcp_flags: FIN-PUSH-ACK
These messages occur when a FIN packet is retransmitted after deleting the connection from the connection table. To solve the problem, in SmartDashboard Global properties for Stateful Inspection, enlarge the TCP end timeout from 20 seconds to 60 seconds. If necessary, also enlarge the connection table so it won’t fill completely.
*.SYN packet for established connection
This message occurs when a SYN is received on an established connection, and the sequence verifier is turned off. The sequence verifier is turned off for a non-sticky connection in a cluster (or in SecureXL). Some applications close connections with a RST packet (in order to reuse ports). To solve the problem, enable this behavior to specific ports or to all ports. For example, run the command:
fw ctl set int fw_trust_rst_on_port
Which means that the Security Gateway should trust a RST coming from every port, in case a single port is not enough.
C. turning on SDF (Sticky Decision Function).