Solved

Sonicwall "TCP handshake violation detected; TCP connection dropped"

Posted on 2013-11-07
3
17,185 Views
Last Modified: 2014-01-03
We manage a company that has a Sonicwall 2400 with 3 HP switches. We have various nodes that get "disconnected" from the Internet. I believe out of 100 nodes, only about 7 are having these issues. When we look at the logs on the Sonicwall it says:

TCP handshake violation detected; TCP connection dropped - Handshake Timeout

Here are the steps we have taken so far:

1) Rebooted Firewall
2) Updated Firmware on Firewall
3) Rebooted Master Switch
4) Changed Default TCP Handshake Timeout from 30 seconds to 5 min
5) Change Default TCP Connection time from 5 Min to 30 min
6) Changed Syn flood from Always Proxy WAN to Watch and Report Possible Flood

Other Symptoms:

Client could connect to httpS://www.google.com and could ping google.com but web page for http://www.google.com would load. She also had a solid VPN connection going.

Even after the above mentioned, still getting issues with "Handshake violation, TCP dropped".

Any ideas? I'm at my wits end....

Alski
0
Comment
Question by:Alski
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 25

Accepted Solution

by:
Diverse IT earned 500 total points
ID: 39631191
Hi Alski,

What is the SonicOS firmware version? You should upgrade, if not already, to the latest release
Have you performed any hardening on the security appliance?
What type of WAN connection is being used?

Login to the SonicWALL and go to Firewall Settings > Flood Protection then match the following settings:
Under TCP Settings
• Enforce strict TCP compliance with RFC 793 and RFC 1122: Uncheck
        • Enable TCP handshake enforcement: Uncheck
• Enable TCP checksum enforcement: Uncheck
• Enable TCP handshake timeout: Uncheck
• Default TCP Handshake Timeout: 30 seconds (default) to 5 minutes
• Default TCP Connection time: 15 minutes (default) to 30 minutes
Layer 3 SYN Flood Protection - SYN Proxy
• SYN Flood Protection Mode: select Watch and report possible SYN floods (keep this as you have indicated)
Then re-test with new connections (terminating the old ones by closing the browsers).

If that still fails to resolve, follow below:
Increase the Inactivity timeout of the rules on the SonicWALL.
VPN tunnels: You may need to increase activity timeout on the LAN to VPN as well as the VPN to LAN rule to avoid timeout conditions.
Make sure the upstream device, source and destination computers connecting to each other do not have latency.

I'd assume you have Stealth Mode enabled? If you don't (you should), are you seeing TCP RST thereafter? You could be seeing these sent in response to a violation of TCP Handshake enforcement (e.g. where an invalid flag is received during the 3 way TCP handshaking process).

I'd also test with disabling all Security Services (if licensed, like CGSS) from ALL Zones (Network > Zones, click the configure icon and remove all applicable services). Then re-test.

Let me know how it goes and please answer the above questions in the interim.
Thanks!
0
 

Author Comment

by:Alski
ID: 39634727
I extended the Handshake from 30 seconds to 5 minutes, as well the timeout from 5 min to 30 minutes, so far so good. If it becomes a problem again, I will check back in. Dont know why this happened all of the sudden. Fingers crossed as I am on vacation next week!

Thanks for your help!
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39634804
The fact that you have to extend the timeouts from the default is suspect that something else is going on as I indicated in my previous post (http:#a39631191). I'd check with your ISP...they might be at the source of the issue.

Basically it's not a root-cause fix and for that reason I'm concerned.  I hope it holds for you while on vacation though!
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question