TCP packets dropped by Firewall due to Invalid Timestamp option
Symptom
- TCP SYN and TCP SYN/ACK packets are not dropped by the firewall and are forwarded as expected
- Firewall randomly drops packets and global counter "tcp_invalid_ts_option" increments.
> show counter global filter packet-filter yes delta yes
Global counters:
Elapsed time since last sampling: 3.298 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
tcp_drop_packet 1 0 warn tcp pktproc packets dropped because of failure in tcp reassembly
tcp_invalid_ts_option 1 0 info tcp pktproc tcp packets with invalid timestamp option >>>>>> Increment in Counter
- Please refer the below document which explains how to check the global counter for a specific traffic:
Environment
- TCP timestamp option is exchanged between the client and server
- “Check Timestamp option” is enabled on firewall
Cause
- Firewall will drops all packets, except syn and syn-ack TCP packets where the TSVal (Timestamp Value) is zero.
- To check the TSVal in a TCP packet, refer the screenshot below:
- By default “Check Timestamp option” is enabled. Hence the firewall will drop this packet. We can check the setting by running the below command in CLI
> show running tcp state
session with asymmetric path : bypass inspection
Bypass if OO queue limit is reached : no
Favor new seg data : no
Urgent data : clear
Drop if zero after clear urgent flag : yes
Check Timestamp option : yes -----> This option is set to Yes by default
Allow Challenge Ack : yes
Remove MPTCP option : yes
Resolution
- As per current design, the firewall will drop the packets with TSVal set to 0.
- If this is legitimate traffic and you wish to allow, you can disable the "Timestamp Check".
If you do not wish to change this option please check on server or on client to see why it is sending a null timestamp value.
- From CLI:
> configure
# set deviceconfig setting tcp check-timestamp-option no
# commit
- From GUI: