12-09-2011 01:13 AM - edited 03-11-2019 03:00 PM
Gentlemen,
Firewall'ing and FW-forensic is not my primary area of expertise, so forgive my ignorance.
When browsing through the collected syslogs from our firewalls (FWSM/ASA), I'm seeing an abundance of SYN Timeouts. There's no specific pattern here, e.g. specific host or service, time of day etc. I can pick any day of the week and select a random host/service and simply search for the string "SYN" and I will almost surely get a significant number of hits.
Now, I'm not really looking for solution, as we've pretty much ruled out the possibility of misconfiguration. We've gone through potential problems with regards to TCP-connections limitations, timeout values, routing etc. But nothing seems to be misconfigured.
So my question to you gentlemen is: Is what I'm seeing typical or even expected behaviour? Since my server- or application teams are not screaming their lungs out with "slow network", this apparently does not cause severe performance degredation. I'm just surprised by the volume of SYN timeouts, but then again, browsing through the FW-syslogs is not really part of my everyday work. Can something like this be the result of theh fact that the volume of application traffic exceeds the capacity of the servers and that this i more a symptom of applications and/or server performance, rather than a network related issue?
Thanks
/Ulrich
Solved! Go to Solution.
12-09-2011 06:11 AM
Hope you don't mind a gentlewonan's response
SYN timeout syslogs are generated when the firewall doesn't receive a response for SYN that it passed through. It appears that the server may be responding back with a SYN ACK late (after 20 seconds ) or not at all.
If it responds late, then you would also see syslog 106015 messages.
-Kureli
12-09-2011 06:11 AM
Hope you don't mind a gentlewonan's response
SYN timeout syslogs are generated when the firewall doesn't receive a response for SYN that it passed through. It appears that the server may be responding back with a SYN ACK late (after 20 seconds ) or not at all.
If it responds late, then you would also see syslog 106015 messages.
-Kureli
12-09-2011 06:56 AM
Hi Kureli,
Don't mind a gentlewomans reply at all
I'll take another look at the syslog and see, if the 106015-msg appears frequently as well.
Thanks for your reply
/Ulrich
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide