cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor

TCP connection request received is invalid (expected SYN, got ACK)

I've searched the forums and have seen the solution is to configure stateless on the ip policy, however when I tried that, the problem became worse than better.  I'm assuming I just don't know exactly how to configure the stateless.

Here's my issue:

I see these in the logs, both ways:

2019.03.03 15:09:34 FIREWALL id=firewall time="2019-03-03 15:09:34" fw=Mainframe_3430(A) pri=1  proto=telnet src=10.1.1.18 dst=10.1.1.6 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x18 Src 55453 Dst 23 from DataNtwk policy-class on interface eth 0/2" agent=AdFirewall

2019.03.03 17:22:10 FIREWALL id=firewall time="2019-03-03 17:22:10" fw=Mainframe_3430(A) pri=1 proto=50371/tcp src=172.28.0.7 dst=10.1.1.83 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x18 Src 3001 Dst 50371 from MainframeNtwk policy-class on interface eth 0/1" agent=AdFirewall

I've tried the following config changes, to no avail:

1st Try:

ip policy-class DataNtwk

  allow list Admin3430 self

  allow list any-any policy MainframeNtwk stateless

  nat destination list ToMainframe address 172.28.0.7

!

ip policy-class MainframeNtwk

  allow list Admin3430 self

  allow list any-any policy DataNtwk stateless

  nat source list FromMainframe address 10.1.1.6 overload

!

2nd Try:

ip policy-class DataNtwk

  allow list Admin3430 self

  nat destination list ToMainframe address 172.28.0.7

!

ip policy-class MainframeNtwk

  allow list Admin3430 self

  nat source list FromMainframe address 10.1.1.6 overload

!

Both made the situation worse than better.

I've attached my config to the post.

Any help is appreciated.

Thank you!

Patrick

Labels (2)
0 Kudos