Solved

Sonicwall "TCP handshake violation detected; TCP connection dropped"

Posted on 2013-11-07
3
16,261 Views
Last Modified: 2014-01-03
We manage a company that has a Sonicwall 2400 with 3 HP switches. We have various nodes that get "disconnected" from the Internet. I believe out of 100 nodes, only about 7 are having these issues. When we look at the logs on the Sonicwall it says:

TCP handshake violation detected; TCP connection dropped - Handshake Timeout

Here are the steps we have taken so far:

1) Rebooted Firewall
2) Updated Firmware on Firewall
3) Rebooted Master Switch
4) Changed Default TCP Handshake Timeout from 30 seconds to 5 min
5) Change Default TCP Connection time from 5 Min to 30 min
6) Changed Syn flood from Always Proxy WAN to Watch and Report Possible Flood

Other Symptoms:

Client could connect to httpS://www.google.com and could ping google.com but web page for http://www.google.com would load. She also had a solid VPN connection going.

Even after the above mentioned, still getting issues with "Handshake violation, TCP dropped".

Any ideas? I'm at my wits end....

Alski
0
Comment
Question by:Alski
  • 2
3 Comments
 
LVL 25

Accepted Solution

by:
Diverse IT earned 500 total points
ID: 39631191
Hi Alski,

What is the SonicOS firmware version? You should upgrade, if not already, to the latest release
Have you performed any hardening on the security appliance?
What type of WAN connection is being used?

Login to the SonicWALL and go to Firewall Settings > Flood Protection then match the following settings:
Under TCP Settings
• Enforce strict TCP compliance with RFC 793 and RFC 1122: Uncheck
        • Enable TCP handshake enforcement: Uncheck
• Enable TCP checksum enforcement: Uncheck
• Enable TCP handshake timeout: Uncheck
• Default TCP Handshake Timeout: 30 seconds (default) to 5 minutes
• Default TCP Connection time: 15 minutes (default) to 30 minutes
Layer 3 SYN Flood Protection - SYN Proxy
• SYN Flood Protection Mode: select Watch and report possible SYN floods (keep this as you have indicated)
Then re-test with new connections (terminating the old ones by closing the browsers).

If that still fails to resolve, follow below:
Increase the Inactivity timeout of the rules on the SonicWALL.
VPN tunnels: You may need to increase activity timeout on the LAN to VPN as well as the VPN to LAN rule to avoid timeout conditions.
Make sure the upstream device, source and destination computers connecting to each other do not have latency.

I'd assume you have Stealth Mode enabled? If you don't (you should), are you seeing TCP RST thereafter? You could be seeing these sent in response to a violation of TCP Handshake enforcement (e.g. where an invalid flag is received during the 3 way TCP handshaking process).

I'd also test with disabling all Security Services (if licensed, like CGSS) from ALL Zones (Network > Zones, click the configure icon and remove all applicable services). Then re-test.

Let me know how it goes and please answer the above questions in the interim.
Thanks!
0
 

Author Comment

by:Alski
ID: 39634727
I extended the Handshake from 30 seconds to 5 minutes, as well the timeout from 5 min to 30 minutes, so far so good. If it becomes a problem again, I will check back in. Dont know why this happened all of the sudden. Fingers crossed as I am on vacation next week!

Thanks for your help!
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39634804
The fact that you have to extend the timeouts from the default is suspect that something else is going on as I indicated in my previous post (http:#a39631191). I'd check with your ISP...they might be at the source of the issue.

Basically it's not a root-cause fix and for that reason I'm concerned.  I hope it holds for you while on vacation though!
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to choose hardware firewall 5 45
Pfsense - and other email Servers 8 42
Cisco 3650 switch 7 36
Cisco 800 router unable to connect through TPG network 12 6
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question