Solved

SYN Timeout: Need a brief explanation

Posted on 2008-06-25
6
3,654 Views
Last Modified: 2008-06-26
I need a quick explanation of what this means.

Jun 25 11:40:40 dsgatekeeper Jun 25 2008 11:40:40: %PIX-6-302014: Teardown TCP connection 43245574 for outside:74.202.21.66/62674 to inside:in-www/80 duration 0:00:30 bytes 0 SYN Timeout

What types of things could cause this?
0
Comment
Question by:maytawn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 2

Expert Comment

by:dbanttari
ID: 21869327
That's indicating that someone asked to start a TCP connection, but never followed through.  Port scanners will commonly produce this symptom, as they'll send a lot of TCP SYN ("synchronize [sequence numbers]") packets, then never follow up on the response.

It's the TCP equivalent of getting called by a telemarketer, answering the phone, then getting nothing but dead silence.  Eventually you get frustrated ("time out") and hang up.
0
 
LVL 1

Author Comment

by:maytawn
ID: 21869379
Where are we at in the process of the handshake?  Did I send the SYN, but not get a response back?  What response am I waiting for that I do not recieve and eventuallty time-out?
0
 
LVL 2

Expert Comment

by:dbanttari
ID: 21869452
You got a SYN, sent back a SYN/ACK, but then there was no further communication.

If you get a LOT of those from the same source, that's called a SYN Flood attack.

Pretty pictures here:
http://en.wikipedia.org/wiki/SYN_flood
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 1

Author Comment

by:maytawn
ID: 21869576
OK... so the time-out is caused by not receiving an ACK.  Just to be clear... This could be caused by one of the following:
1) The SYNACK (that I sent) was never recieved.  
2) The SYNACK was received, but ignored and no ACK was sent
3) The SYNACK was recieved and an ACK was sent back, but the packet was lost in transit and sever arrived.

Correct?
0
 
LVL 2

Accepted Solution

by:
dbanttari earned 500 total points
ID: 21870483
That's correct-- however, if the ACK was sent back but lost due to packet loss, then a properly functioning host would resend the ACK several times, and one of them would most likely have gotten through.
0
 
LVL 2

Expert Comment

by:dbanttari
ID: 21876680
Oh-- one last note:  If a properly functioning host had decided not to follow through on the connection-open SYN request, it would have responded with a RST packet when it received your SYN/ACK packet.  That would not have produced the timeout message.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question