TCP URG Packets dropped as " Invalid TCP flag "
07/06/2023 24 People found this article helpful 293,637 Views
Description
When a device is sending TCP packets with URG flag firewall is dropping the packet as Invalid TCP flag. This is causing interruptions in TCP communication.
Cause
Source is sending TCP packet with URG pointer set and firewall is dropping this packet as " Invalid TCP Flag"
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
This behavior is caused as the source is sending TCP SYN, ACK packet with URG flag set and firewall is configured to drop URG packets. Follow below steps to allow TCP URG packets:
- Determine the zone from where this traffic is coming from and the zone to which the traffic is destined for, e.g from LAN to WAN zone. Choose the same matrix under Policy | Rules and Policies | Access Rules.
- Find the access rule that this traffic is using to reach the destination device and click pencil option in the right extreme to edit by hovering over the intended rule.
- Click on Optional Settings tab of the access rule and enable Allow TCP Urgent Packets option.
- Click Save at bottom to save the settings.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
This behavior is caused as the source is sending TCP SYN, ACK packet with URG flag set and firewall is configured to drop URG packets. Follow below steps to allow TCP URG packets:
- Determine the zone from where this traffic is coming from and the zone to which the traffic is destined for, e.g from LAN to WAN zone. Choose the same matrix under Manage | Rules | Access Rules.
- Find the access rule that this traffic is using to reach the destination device and click pencil option in the right extreme to edit on the intended rule.
- Click on Advanced tab of the access rule and enable Allow TCP Urgent Packets option.
- Click OK at bottom to save the settings.
Related Articles
Categories
Was This Article Helpful?
YESNO