Re: [FW1] ssh connections lost

[James_E_Clukey@FW1-NOSPAMrush.edu]

corne:

     If and whenever you get any clues please let me know as we are experiencing
the same problems here.

     I would suspect that once the connection is opened and entered into the
state table that CheckPoint never resets the TCP session counters from that
point on meaning that if you have the default value set for established TCP
connections to be 3600 seconds (1 hour) that after the one hour is up the
connection is removed from the state table (even if there is activity on the
connection).

     You also did not mention what version of CheckPoint you are running but
from the scenario that you described I would imagine that you are running v4.1
SP2 or later.

     There are also several FAQs on phoneboys site that I think will help you
understand the "new" functionality of 4.1 SPx in regards to TCP session
timeouts. You can just do a search on TCP session timeouts and it should bring
up several of them. Or you can enter the "reason" message that you are seeing in
your logs.

     Not that this helps much but..... :)


|--------+------------------------>
|        |          "corne"       |
|        |          <corne@ddsecur|
|        |          ity.co.za>    |
|        |                        |
|        |          02/06/2001    |
|        |          04:12 AM      |
|        |          Please respond|
|        |          to corne      |
|        |                        |
|--------+------------------------>
  >----------------------------------------------------------------------------|
  |                                                                            |
  |       To:     fw-1-mailinglist@lists.us.checkpoint.com                     |
  |       cc:     (bcc: James E Clukey/Rush/RSH)                               |
  |       Subject:     [FW1] ssh connections lost                              |
  >----------------------------------------------------------------------------|






Hi folks

I have a situation where ssh connections from inside the fw dies some
arbitrary time after they were started.

Doing a sniff on the network (both sides of the fw) reveals the following:
packets happily flow from the client to the server. At some stage the client
sends another packet, at which point the server doesn't respond. This is the
stage where the ssh connection is now dead. The client now sends a bunch of
retransmits, thinking that the session is still up.

After the session drops, I see dropped packets in the fw log, with the error
"unknown established tcp packet". This would indicate that the fw no longer
has an entry in its state table for that connection.

But why would the connection disappear from the table? From a network sniff,
there is no indication that a reset or fin is sent, or anything like that.
It seems as if the fw is arbitrarily removing that connection.

Any ideas?

Regards
Corne van Dyk
Dimension Data: Network security engineer
Tel: +27 21 659 2540
Fax: +27 21 659 2101
Helpdesk: +27 21 659 2112



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================





================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================