Overview
While establishing the connections, the packets are being dropped with the following entry in the Debug logs:
[10/Jan/2020 14:30:22] {pktdrop} packet dropped: TCP sequence/acknowledge numbers out of window (from Ethernet 1, proto:TCP, len:60, x.x.x.x:5228 -> y.y.y.y:53903, flags:[ SYN ACK ], seq:2375234096/254567627 ack:4105830169, win:62392, tcplen:0)
NOTE: The Packets dropped for some reason option should be enabled to observe the log entry.
This article provides information on how to resolve the log entry message mentioned above.
Information
The client on either side of a TCP session maintains a 32-bit sequence number, which is used to keep track of how much data it has sent. This sequence number is included on each transmitted packet and acknowledged by the opposite host as an acknowledgment number to inform the sending host that the transmitted data was received successfully.
Here is the diagram of the Sequence & Acknowledgement Numbers:
The TCP sequence behavior is controlled through the RequireCorrectTcpSequences
variable (Firewall section) in the winroute.cfg file.
Process
- Log in via SSH to the Kerio Control console.
- Run the following command to disable the correct TCP sequences:
/opt/kerio/winroute/tinydbclient "update Firewall set RequireCorrectTcpSequences=0"
- Restart Kerio Control:
/etc/boxinit.d/60winroute restart
You can use thegrep
command to check the current state of the variable.
Confirmation
The successful modification will be displayed in the Config logs.
[12/Mar/2020 13:02:29] LocalPluginUserForRPC - update Firewall set RequireCorrectTcpSequences=0