Firewall dropped SYN-ACK packet when TCP Fast Open Cookie is enabled

Firewall dropped SYN-ACK packet when TCP Fast Open Cookie is enabled

701
Created On 03/07/26 07:38 AM - Last Modified 03/20/26 21:36 PM


Symptom


  • Websites intermittently not accessible.
  • Firewall drops the SYN-ACK packet.
  • TCP reassembly failed is seen in flow basic for the SYN-ACK packet.
  • tcp_synack_invalid counter increases in the global counter.

Environment


  • PAN-OS Firewalls
  • PAN-OS 10.1 or later
  • TCP Fast open Cookie (TFO)

Cause


Software Issue.

Resolution


  1. The issue is resolved in the newer PAN-OS versions under PAN-258149.
  2. Upgrading to the fixed versions 11.1.7, 12.1.0, 11.2.5, 11.1.6-h1 or later versions will resolve the issue.

Workaround:

  1. Create zone protecting profile and strip TCP Fast Open under TCP Drop.
  2. This can be done under GUI: Network > Network Profiles > Zone Protection > Packet Based Attack Protection > TCP Drop

Additional Information


TCP Fast Open:

  • Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.
  • When this is cleared (disabled), the TCP Fast Open option is allowed, which preserves the speed of a connection setup by including data delivery. This functions independently of the TCP SYN with Data and TCP SYN-ACK with Data. Disabled by default.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000wkhWKAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail