[SOLVED] Firewall blocks TCP RST when TCP FIN was sent already

[JasMan]

Hey,

I have an issue with an TCP connection (LAN client downloads data from WAN server). I did some troubleshooting and found out, that a packet with RST flag set is blocked by the firewall (I guess), when a packet with FIN flag set was send before in the TCP session.
An example:

RST packet blocked

• Session between Client and Server is up and running
• Client decides to close the session and sends an FIN/ACK packet to the server
• Server apparently ignores the FIN/ACK packet and still sends data packets to the client
• Client sends an RST packet to the server, which is blocked by the OPNsense aplliance. I can see the packet in the packet trace on the LAN site but not on the WAN site.
• Server still sends data packets, but the client don't acknowledge them. He stops when the clients receive window is "full".

RST packet is not blocked

• Session between Client and Server is up and running
• Client decides to close the session and sends an RST packet to the server
• Server sends ACK packet and stops sending data

Is this a normal behaviour?
I think my issue has to do with this behaviour, because when the RST packet is blocked the session state remains open on the server. When a certain limit has reached, I guess the server will not allow any more connections from/to my IP address.

Jas Man

[JasMan]

Mmh, it looks like the new version 18.7.10 solved this problem.

[franco]

Hmm, strange fix. Maybe the reboot did it?


Cheers,
Franco

[JasMan]

I' m not totally sure but I think I already did a reboot before the update.

BTW: I saw that the title of my topic was wrong. I've changed it ("...TCP SYN..." to "...TCP FIN...")

[franco]

Ok, I'll keep this in mind. It might have to do with a state being stuck in the previous "block" state. In some cases state tracking should be turned off or set to sloppy which can be done per rule under advanced settings.


Cheers,
Franco