Solved

Sonicwall "TCP handshake violation detected; TCP connection dropped"

Posted on 2013-11-07
3
15,309 Views
Last Modified: 2014-01-03
We manage a company that has a Sonicwall 2400 with 3 HP switches. We have various nodes that get "disconnected" from the Internet. I believe out of 100 nodes, only about 7 are having these issues. When we look at the logs on the Sonicwall it says:

TCP handshake violation detected; TCP connection dropped - Handshake Timeout

Here are the steps we have taken so far:

1) Rebooted Firewall
2) Updated Firmware on Firewall
3) Rebooted Master Switch
4) Changed Default TCP Handshake Timeout from 30 seconds to 5 min
5) Change Default TCP Connection time from 5 Min to 30 min
6) Changed Syn flood from Always Proxy WAN to Watch and Report Possible Flood

Other Symptoms:

Client could connect to httpS://www.google.com and could ping google.com but web page for http://www.google.com would load. She also had a solid VPN connection going.

Even after the above mentioned, still getting issues with "Handshake violation, TCP dropped".

Any ideas? I'm at my wits end....

Alski
0
Comment
Question by:Alski
  • 2
3 Comments
 
LVL 24

Accepted Solution

by:
diverseit earned 500 total points
ID: 39631191
Hi Alski,

What is the SonicOS firmware version? You should upgrade, if not already, to the latest release
Have you performed any hardening on the security appliance?
What type of WAN connection is being used?

Login to the SonicWALL and go to Firewall Settings > Flood Protection then match the following settings:
Under TCP Settings
• Enforce strict TCP compliance with RFC 793 and RFC 1122: Uncheck
        • Enable TCP handshake enforcement: Uncheck
• Enable TCP checksum enforcement: Uncheck
• Enable TCP handshake timeout: Uncheck
• Default TCP Handshake Timeout: 30 seconds (default) to 5 minutes
• Default TCP Connection time: 15 minutes (default) to 30 minutes
Layer 3 SYN Flood Protection - SYN Proxy
• SYN Flood Protection Mode: select Watch and report possible SYN floods (keep this as you have indicated)
Then re-test with new connections (terminating the old ones by closing the browsers).

If that still fails to resolve, follow below:
Increase the Inactivity timeout of the rules on the SonicWALL.
VPN tunnels: You may need to increase activity timeout on the LAN to VPN as well as the VPN to LAN rule to avoid timeout conditions.
Make sure the upstream device, source and destination computers connecting to each other do not have latency.

I'd assume you have Stealth Mode enabled? If you don't (you should), are you seeing TCP RST thereafter? You could be seeing these sent in response to a violation of TCP Handshake enforcement (e.g. where an invalid flag is received during the 3 way TCP handshaking process).

I'd also test with disabling all Security Services (if licensed, like CGSS) from ALL Zones (Network > Zones, click the configure icon and remove all applicable services). Then re-test.

Let me know how it goes and please answer the above questions in the interim.
Thanks!
0
 

Author Comment

by:Alski
ID: 39634727
I extended the Handshake from 30 seconds to 5 minutes, as well the timeout from 5 min to 30 minutes, so far so good. If it becomes a problem again, I will check back in. Dont know why this happened all of the sudden. Fingers crossed as I am on vacation next week!

Thanks for your help!
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39634804
The fact that you have to extend the timeouts from the default is suspect that something else is going on as I indicated in my previous post (http:#a39631191). I'd check with your ISP...they might be at the source of the issue.

Basically it's not a root-cause fix and for that reason I'm concerned.  I hope it holds for you while on vacation though!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now