My Oracle Support Banner

IPFilter drops first syn packet while closed session entry is being left in its state table (Doc ID 1106085.1)

Last updated on APRIL 24, 2020

Applies to:

Solaris Operating System - Version 8.0 and later
Oracle Solaris on SPARC (64-bit)
Oracle Solaris on x86-64 (64-bit)
This is a specification of ipfilter. Ipfilter keeps tcp status in short period after the last-ack.

With ipfilter patch Oracle Solaris patches 141505-09/141506-09 (actual change was in 141020-03), the timeout value is derived from the tunable parameter fr_tcplastack. Within this timeout period, a new syn packet is dropped if its part of the old TCP session.
An entry of the old session is flushed by this new syn packet and a second (retransmitted) syn packet is passed as new session. Typically, this just causes only about three seconds delay for the new session. This issue happens only when source port and destination port of new session are the same as for the previous session.


Consider the following filter rules on host With these rules, this host allows TCP connection from only when the target port is 443.

pass in log quick on ce0 proto tcp from to port = 443 keep state
block in log quick on ce0 from to

Once the session is established and then closed, the state remains in the table like below on 'ipf -tC' output.

Source IP Destination IP ST PR #pkts #bytes ttl,12345,443 8/8 tcp 5 220 1:51

This lasts 120 seconds by default. During the time, if another syn packet comes from with same source/destination port, the first syn packet is dropped by ipfilter.

ipmon[xxx]: [ID 702911 local0.warning] 08:54:45.563763 ce0 @0:3 b,12345 ->,443 PR tcp len 20 52 -S IN


ipmon[xxx]: [ID 702911 local0.notice] 08:54:48.950478 ce0 @0:1 p,12345 ->,443 PR tcp len 20 52 -S K-S IN
ipmon[xxx]: [ID 702911 local0.notice] 08:54:48.959985 ce0 @0:1 p,443 ->,12345 PR tcp len 20 52 -AS K-S OUT
ipmon[xxx]: [ID 702911 local0.notice] 08:54:48.960137 ce0 @0:1 p,12345 ->,443 PR tcp len 20 40 -A K-S IN


Then the retransmitted second syn packet is accepted as new state.


tcp_time_wait_interval set to less than 60000 (default value of 1 minute)

# ndd /dev/tcp tcp_time_wait_interval



To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.