- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TCP connection request received is invalid (expected SYN, got ACK)
I've searched the forums and have seen the solution is to configure stateless on the ip policy, however when I tried that, the problem became worse than better. I'm assuming I just don't know exactly how to configure the stateless.
Here's my issue:
I see these in the logs, both ways:
2019.03.03 15:09:34 FIREWALL id=firewall time="2019-03-03 15:09:34" fw=Mainframe_3430(A) pri=1 proto=telnet src=10.1.1.18 dst=10.1.1.6 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x18 Src 55453 Dst 23 from DataNtwk policy-class on interface eth 0/2" agent=AdFirewall
2019.03.03 17:22:10 FIREWALL id=firewall time="2019-03-03 17:22:10" fw=Mainframe_3430(A) pri=1 proto=50371/tcp src=172.28.0.7 dst=10.1.1.83 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x18 Src 3001 Dst 50371 from MainframeNtwk policy-class on interface eth 0/1" agent=AdFirewall
I've tried the following config changes, to no avail:
1st Try:
ip policy-class DataNtwk
allow list Admin3430 self
allow list any-any policy MainframeNtwk stateless
nat destination list ToMainframe address 172.28.0.7
!
ip policy-class MainframeNtwk
allow list Admin3430 self
allow list any-any policy DataNtwk stateless
nat source list FromMainframe address 10.1.1.6 overload
!
2nd Try:
ip policy-class DataNtwk
allow list Admin3430 self
nat destination list ToMainframe address 172.28.0.7
!
ip policy-class MainframeNtwk
allow list Admin3430 self
nat source list FromMainframe address 10.1.1.6 overload
!
Both made the situation worse than better.
I've attached my config to the post.
Any help is appreciated.
Thank you!
Patrick