Firewall blocking traffic TCP:PA

  • I have some issues with traffic being blocked. It is listed in the system logs (firewall) as proto TCP:PA.
    I have read about this and that it helps changing the firewall optimization to "conservative", but it still blocks that traffic. I have also added rules that explicitly should let traffic from that device through.

    This traffic is TCP Ping (used for keep-alive between two devices) where a TCP packet packet is sent from one device with PSH/ACK where the other device is supposed to answer with ACK.

    Any ideas on how I can get this traffic through?

  • Can either side initiate the connection or is it one direction all the time? If it is bi-directional, then you will need to create a WAN rule and a LAN rule for traffic originating on the same side. On the WAN, you will probably also need to create a NAT rule unless it is in the WAN subnet.

    In the advanced section, there is a place to allow or disallow certain TCP flags. Perhaps you can utilize that.

  • Hi, thanks.

    It can be bi-directional. I have created a rule for the LAN-WAN communication and also a NAT-rule for the WAN-LAN communication (with auto-generated FW rule).
    I see that the packets have "IP Options" set (NOP), so I might need to check the box (Enable) beside the text "This allows packets with IP options to pass" in the advanced section?

  • Most likely. But you should only do that for the rule that passes this traffic. If you have a default allow rule, add one above it to handle only this traffic. You don't want that on all traffic.

  • Odd way to do a TCP ping, that will fail on every worthwhile firewall. Not an active connection and not a SYN, every firewall will block that. Should send a SYN only as a TCP ping, get a SYN ACK in response, and RST that. Basically what hping does on a TCP ping.

    You can loosen up the acceptable TCP flags on a per-rule basis, but I'd be very specific on the rule where you do so. And keep in mind if any other firewalls are introduced at any point in between, they're going to block that too. If you can fix the TCP ping to be a proper TCP ping (SYN, SYN ACK, RST), that's a much more desirable solution.

  • LAYER 8 Global Moderator

    Curious – what devices are they that do that?  Are they really designed to be on the same segment.  I would think any stateful firewall would block that by default.

  • Thanks.

    It's a Satellite modem and antenna controller using the OpenAMIP protocol. I managed to get the traffic through after adjusting the tcp flag options, allowing "any" flag to be set.
    The initial communication establishment seems to be a standard SYN/SYN ACK sequence.

Log in to reply