Unable to reach a specific website - " SYN,ACK " packet missing

Description

A specific website is randomly not reachable. Analyzing packet capture, we see that the TCP 3-Way Handshake is not correctly established: the "SYN, ACK" for the "SYN" packet is missing from the handshake.

Bypassing the SonicWall, the website is always reachable.

Cause

Possible root causes could be:

  • a SYN-ACK is sent, but the server is dual homed (multiple interfaces in the same subnet) and it sends the response out a different interface.
  • there is no SYN-ACK sent by the server

Resolution

There is no workaround applicable from the SonicWall because the 3-way handshake must be established in the right way for security reasons.

Sometimes web servers use several interfaces for "redundancy" reasons and then they simply assign an IP address from the same subnet (Windows does not prevent that)! This usually works on a local network without security devices (firewall, load-balancers, etc.), but it can cause problems if those devices are in place.

If not related to web server redundancy, one possible solution applicable from server side is: turn off both TCP window scaling and TCP timestamps on servers that are accessible to the public.

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
SonicWall NSA Series
Firewalls
SonicWall SuperMassive 9000 Series
Firewalls
SonicWall SuperMassive E10000 Series
Firewalls
TZ Series
not finding your answers?
Ask the Community