1
20.7 Legacy Series / Trouble with half-closed connections
« on: September 28, 2020, 06:07:43 pm »
I investigated an unusually high number of packets hitting my default deny rule. For the most part they had the TCP-FPA flags set. Looking at a trace I did on the box hosting the firewall-VM I looked at some affected connections and the most unusual about them is that the client still sends traffic into a half-closed connection. Two examples:
1) Server sends FIN
2) Client ACKs the FIN
3) Client Sends additional data -> Packet is blocked
4) Client sends FIN -> Packet is blocked
5) Client retransmits FIN a few times -> Packets are blocked
Second case:
1) Server sends FIN
2) Client ACKs packet before FIN
3) Server retransmits FIN
4) Client ACKs the FIN
5) Client sends FIN -> Packet is blocked
6) Client retransmits FIN a few times -> Packets are blocked
Both clients are Android devices talking to the cloud. One connection is IPv4, the other is IPv6. How can I troubleshoot this further? Why don't the packets match the stateful return path?
1) Server sends FIN
2) Client ACKs the FIN
3) Client Sends additional data -> Packet is blocked
4) Client sends FIN -> Packet is blocked
5) Client retransmits FIN a few times -> Packets are blocked
Second case:
1) Server sends FIN
2) Client ACKs packet before FIN
3) Server retransmits FIN
4) Client ACKs the FIN
5) Client sends FIN -> Packet is blocked
6) Client retransmits FIN a few times -> Packets are blocked
Both clients are Android devices talking to the cloud. One connection is IPv4, the other is IPv6. How can I troubleshoot this further? Why don't the packets match the stateful return path?