[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Secure Shell ( ssh ) issue
Hi, We are running FW-1 4.1 SP 2 on a Nokia 330. We have a problem with our users losing their ssh sessions when ssh'ing in to a server behind the firewall. Usually their session just freezes up and they have to start over. I looked in the logs and found this error: unknown established TCP packet So I did a search on phoneboy.com and found what seems to be a remedy for this problem (posted at the bottom). My question is this: Has anyone else had similar issues with secureshell and FW1? If so, did this remedy help you? I would normally search the archives for this sort of thing, but I don't think that this mailing list has a searchable archive that I am aware of. Thanks, Rich ============================================================================ ========================================== HERE IS THE REMEDY TO THE PROBLEM ============================================================================ ========================================== unknown established TCP packet Q: I see the following messages over and over in my logs with a drop on rule 0: unknown established TCP packet A: FireWall-1 has significantly changed how it deals with established TCP connections. Whereas FireWall-1 versions prior to 4.1 SP2 used to try and recover TCP connections for which it did not have a connections table entry, it now simply drops these packets on the floor on rule 0 with this error message. Earlier versions would also drop these packets and display this message (or unknown reason code:12), but only after an attempt at recovering the connection failed. In 4.1, you can revert to the old behaviour by adding the following to $FWDIR/lib/fwui_head.def: #define ALLOW_NON_SYN_RULEBASE_MATCH You can disable logging of these packets in FireWall-1 4.1 base or 4.1 SP1 by commenting out the following line in $FWDIR/lib/fwui_head.def (place two forward slashes '//' in front of the line). #define CLUSTER_RULEBASE_MATCH_LOG In FireWall-1 4.1 SP2 and later, you would comment out the following line in $FWDIR/lib/fwui_head.def: #define NON_SYN_RULEBASE_MATCH_LOG If you see this message on a 4.0 installation, follow the instructions for unknown reason code:12 ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|