Packet drops due to TCP Sequence numbers ("tcp_seqno_too_high" or "tcp_seqno_too_low")

Frequently Asked Questions
Post Reply
Posts: 696
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Packet drops due to TCP Sequence numbers ("tcp_seqno_too_high" or "tcp_seqno_too_low")

Post by Peter » 03 Dec 2018, 13:49

This FAQ applies to:
  • cOS Core version 10+ & Stream any version

I see that the Firewall drop packets due to "tcp_seqno_too_high" or "tcp_seqno_too_low", what is the cause of this?


Problems related to TCPSequence numbers can fairly easily be determined by looking at the log message. The log message with in normal cases contain a sequence number "window" that is allowed.

Each packet has their own sequence numbers and this can be used to track the order on when packets arrive on cOS Core. cOS Core as a firewall will look for irregularities in these sequence numbers and will drop the traffic/packets if needed.

TCP Sequence numbers too high:

An example would be if we have packets sequences looking like this:

Packet Sequence 500
Packet Sequence 501
Packet Sequence 502
Packet Sequence 69818747

Then it is very strange that the last packet sequence was so different from the previous one. The acceptable range can be found in the log message. The previous example would generate a TCP SequenceToHigh message.

Log message example:
TCP_FLAG: id=03300019 event=tcp_seqno_too_high action=drop seqno=557601248 accstart=552014597 accend=552014599 rule=TCPSequenceNumbers connipproto=TCP connrecvif=G3 connsrcip= connsrcport=59292 conndestif=G6 conndestip= conndestport=443 origsent=304 termsent=0 recvif=G3 srcip= destip= ipproto=TCP ipdatalen=28 srcport=59292 destport=443 tcphdrlen=28 syn=1

In the above example, cOS Core is accepting that the next packet to be in the range 552014597 and to 552014599. So cOS Core will only accept a number difference of 2. But the client or server is sending a sequence number that is more than 5.5 million higher than the previous packet, cOS Core finds this suspicious and drops the packet.

TCP Sequence numbers too low:

An example on when you can get the TCPSequencetooLow would be if you have a packet sequence numbering order that looks like this:

Packet Sequence 500
Packet Sequence 501
Packet Sequence 502
Packet Sequence 499

Then the last packet in the above has lower number than the expected, it could be an indicator of a problem or that packets arrive in the Clavister in the wrong order.

Log message example:
TCP_FLAG: id=03300016 rev=2 event=tcp_seqno_too_low action=drop seqno=3547934071 accstart=3547938065 accend=3548002305 rule=TCPSequenceNumbers connipproto=TCP connrecvif=if2 connsrcip= connsrcport=37395 conndestif=VLAN500 conndestip= conndestport=443 origsent=268665712 termsent=2302311781 recvif=if2 srcip= destip= ipproto=TCP ipdatalen=1480 srcport=37395 destport=443 ack=1 psh=
Similar to the "too_high" log message the problem here is the opposite, cOS Core accepts a sequence number in the range of 3547938065 to 3548002305 (a total of 64 240) while the packet we received was 3994 numbers below our acceptable start range. cOS Core finds this suspicious and drops the packet.

Possible solutions:

There are three ways to solve a problem related to sequence numbers.

1. Try to examine the problematic machines, are they either doing something strange or are they going through some special router/switch that modifies the sequence numbers. Try to see if if you can narrow down what it is that is generating this strange behavior, problematic software? Network latency? Bug in the operating system? Incorrect configured router? etc.
2. If the problematic hosts are both internal hosts that you trust, you can configure/use Stateless (also known as "Forward Fast") rules for the communication between the two hosts. FwdFast rules are not state tracked so cOS Core would not care if the sequence number is in the wrong order.
3. Disable the TCPSequence check altogether. This option can be found under Advanced Settings->TCP->TCPSequenceNumbers.
3.1. Warning: this means that you disable the sequence check for the entire Firewall.

Post Reply