Question/Issue:
The SYN flood protection option is enabled for the external interface of the Symantec Enterprise Firewall. TCP connections are unable to properly complete with Netscreen or Checkpoint (NG or version 5 with feature pack 3) firewalls.
Solution:
When SYN flood protection is enabled in an interface, Symantec Enterprise Firewall responds to all SYN packets it receives with a "bogus" or "out of sequence" ACK packet. This will force the sender to reset the connection and send another SYN packet to initiate a new connection. After the new connection is started, TCP traffic flows normally. Certain vendor firewall and network devices do not handle this response gracefully. For example, the sender might ignore the "bogus" ACK response and new SYN packet without sending an RST first.
Symantec Enterprise Firewall does not seem to log anything when this happens, but traffic monitored from the interface using tcpdump shows that this problem is occurring.
Normal response
08:34:16.096268 mail.mydomain.com.34739 > mail.yourdomain.com.smtp: S 1861573500:1861573500(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
08:34:16.166369 mail.yourdomain.com.smtp > mail.mydomain.com.34739: . 2432393795:2432393803(8) ack 1862573500 win 24820 (DF)
08:34:16.176384 mail.mydomain.com.34739 > mail.yourdomain.com.smtp: R 1862573500:1862573500(0) win 24820 (DF)
08:34:19.461149 mail.mydomain.com.34739 > mail.yourdomain.com.smtp: S 1861573500:1861573500(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
08:34:19.471164 mail.yourdomain.com.smtp > mail.symantec.com.34739: S 4052583706:4052583706(0) ack 1861573501 win 8760 <mss 1460> (DF)
08:34:19.481178 mail.mydomain.com.34739 > mail.yourdomain.com.smtp: . ack 1 win 24820 (DF)
08:34:19.531251 mail.yourdomain.com.smtp > mail.mydomain.com.34739: P 1:47(46) ack 1 win 8760 (DF)
Abnormal response
07:56:16.548503 mail.mydomain.com.41357 > mail.yourdomain.com.smtp: S 146052955:146052955(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
07:56:16.689270 mail.yourdomain.com.smtp > mail.mydomain.com.41357: . 4147914340:4147914348 (8) ack 147052955 win 24820 (DF)
07:56:19.903371 mail.mydomain.com.41357 > mail.yourdomain.com.smtp: S 146052955:146052955(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
07:56:19.913385 mail.yourdomain.com.smtp > mail.mydomain.com.41357: . 0:8(8) ack 1 win 24820 (DF)
07:56:26.663178 mail.mydomain.com.41357 > mail.yourdomain.com.smtp: S 146052955:146052955(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
07:56:26.663178 mail.yourdomain.com.smtp > mail.mydomain.com.41357: . 0:8(8) ack 1 win 24820 (DF)
To disable SYN flood protection
Document ID: 2003030616593554
Last Modified: 04/28/2006
Date Created: 03/06/2003
Operating System(s): Windows NT 4.0, Windows 2000, Solaris 2.6, Solaris 2.7, Solaris 8, Appliance
Product(s): Symantec Enterprise Firewall 6.5, Symantec Enterprise Firewall 7.x, Symantec Enterprise VPN (Server) 6.5, Symantec Enterprise VPN (Server) 7.x, Symantec Gateway Security Appliance 1.0, Symantec VelociRaptor 1.1, Symantec VelociRaptor 1.5
Release(s): Symantec Enterprise Firewall 6.5.2, Symantec Enterprise Firewall 7.0, Symantec Enterprise VPN (Server) 6.5, Symantec Enterprise VPN (Server) 6.5.1, Symantec Enterprise VPN (Server) 6.5.2, Symantec Enterprise VPN (Server) 6.5.3, Symantec Enterprise VPN (Server) 7.0, Symantec Gateway Security Appliance 1.0, Symantec VelociRaptor 1.1, Symantec VelociRaptor 1.5
Cart
PRINT THIS PAGE