NSA 4600 - dropped packets for invalid TCP Flag #1
UTCTech
Newbie ✭
Getting some dropped packets on the sonicwall with the below error
any idea what could be causing this.
DROPPED, Drop Code: 70(Invalid TCP Flag(#1)), Module Id: 25(network), (Ref.Id: _5712_uyHtJcpfngKrRmv) 1:3)
Seen this but not resolved the issues (noticed the flag is #2 not #1)
Category: Mid Range Firewalls
0
Answers
This is on a NSA 4600 with firmware ver 6.5.4.8-89
Hi @UTCTech ,
Can you please follow the KB below:
This article describes how to workaround the drop "(Invalid TCP Flag(#2)), Module Id: 25(network)" due to network issues.
Regards
Nevyaditha P
Technical Support Advisor, Premier Services
I have run into this with no resolution from the various Sonicwall KBs.
I will try to be succinct. We are replacing a Cisco ASA with a NSA3700. Planned a phased migration where we swap IPs of the Cisco and Sonicwall interfaces to direct traffic through the Sonicwall on a VLAN by VLAN basis. A dedicated interface was established between the Cisco and Sonicwall for routing between the Cisco-controlled VLANs and Sonicwall-controlled VLANs.
Its really a simple setup and I have intermingled ASAs and NSAs like this with no trouble before. Not this time.
Non-TCP traffic seems to flow just fine: ICMP, simple UDP (DNS requests). TCP traffic flowing through the Cisco to Sonicwall results in the Sonicwall dropping the traffic with the same Invalid TCP Flag #1 code.
Packet analysis in Wireshark shows the TCP packets containing Acknowledgement sequence numbers with the RST flag set. Off to the search engines.
https://osqa-ask.wireshark.org/questions/3183/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set/
https://osqa-ask.wireshark.org/questions/8465/acknowledgment-number-broken-tcp-the-acknowledge-field-is-nonzero-while-the-ack-flag-is-not-set/
A few others mentioning the same thing on S2S VPN tunnels between Sonicwalls and ASAs. Nothing conclusive though.
Ultimately we will have to skip the phases and just cutover all at once. It's a bit much with ~25 VLANs, but what are you gonna do?