Segment failed SYNCOOKIE?

Andre Oppermann andre at
Mon May 28 15:29:45 UTC 2007

Abdullah Ibn Hamad Al-Marri wrote:
> On 5/26/07, Steve Kargl <sgk at> wrote:
>> Anyone have ideas on how to cure
>> May 25 16:20:03 node13 kernel: TCP: []:53815 to
>> []:50992 tcpflags 0x11<FIN,ACK>; syncache_expand:
>> Segment failed SYNCOOKIE authentication
>> The hardware and kernel on and
>> are identical.
>> -- 
>> Steve
> 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Sat May 26 04:25:29 GMT 2007
> I got the same problem and my sever paniced today.

Please provide the panic message and if available a backtrace for the
panic.  We have to track down the exact cause of it (which may not
necessarily be the syncache).

> TCP: []:54686 to [IP removed for security reasons]:59999
> tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE
> authentication

Logging of TCP segment validation failure has recently been enabled
to aid debugging of TCP (interoperability) issues.

This particular message means that a SYN was received on a listen
socket but no matching syncache entry was found.  The second test
for a syncookie also failed.  Normally this means a spoofed packet
or port scan is hitting your machine.  To make this certain you should
answer a couple of questions:  a) What daemon is running on your port
59999?  b) Do you know [] and does it have any business
in contacting your daemon on 59999?

I agree that the log message should be made more clear to avoid
unnecessary confusion.  Nothing is broken and syncache is doing its
job just fine.


More information about the freebsd-current mailing list