Symptom
When TCP (i.e. FTP) transfer of a big file (2.0 GB or higher) is performed; Lina reports Out of Oder packets during the connection teardown process.
FIN packets from the server are dropped by the firewall and reported on asp drop as tcp-rstfin-ooo. The connection is always offloaded.
Issue is not seen when transferring small files.
Following syslog will be observed
"%FTD-6-805002: TCP Flow is no longer offloaded"
Conditions
FTP Connection must be Offloaded. The behavior is seen with big files (2.0 GB or higher).
Workaround
- Disable flow offload on CLISH
> configure flow-offload dynamic whitelist disable
- Configure an Allow rule to make sure this traffic is sent for Snort Inspection
Note: Any flows which are trusted by snort (include allow rules as well which are applied to encrypted traffic) will be dynamically whitelisted.
Further Problem Description
