Problem

If the SYN flag in a packet is not turned on, Versa FlexVNF rejects the first packet of a TCP connection.

Description

FlexVNF devices reject the first packet if it does not have the SYN flag turned on. This FlexVNF behavior is a security measure in response to how TCP starts. A normal TCP connection starts with a three-way handshake, so if the first packet that the FlexVNF sees on the connection is not the SYN packet, the FlexVNF assumes that the packet is not valid, and it discards it. In some situations, such as asymmetric routing, you might want FlexVNF devices to accept the first packet of a TCP connection when the SYN flag is not turned on.

Solution

You can use Versa Director to modify the setting per zone:

1. In Director view, select the Configuration tab in the top menu bar.
2. Select the FlexVNF device. The view changes to Appliance view.
3.  Select the Configuration tab in the top menu.
4. Select Others > Configuration > Configuration in the left menu bar.
   
5. In the Session box, click the Edit icon. The Edit Sessions popup window displays:
   
6. To reject the packet if the first packet for the TCP session setup is not a SYN packet, click Check TCP SYN. To allow the packet, ensure that the option is not selected.
7. Click OK.