Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Secure Shell ( ssh ) issue

To: [email protected]
Subject: [FW1] Secure Shell ( ssh ) issue
From: Rich Quinn <[email protected]>
Date: Thu, 15 Mar 2001 14:35:31 -0800
Cc: [email protected], [email protected]
Sender: [email protected]

Hi,

We are running FW-1 4.1 SP 2 on a Nokia 330.   We have a problem with our
users losing their ssh sessions when ssh'ing in to a server behind the
firewall.   Usually their session just freezes up and they have to start over.

I looked in the logs and found this error:  unknown established TCP packet

So I did a search on phoneboy.com and found what seems to be a remedy for
this problem  (posted at the bottom).

My question is this:     Has anyone else had similar issues with
secureshell and FW1?     If so, did this remedy help you?  I would normally
search the archives for this sort of thing, but I don't think that this
mailing list has a searchable archive that I am aware of.  

Thanks,


Rich



============================================================================
==========================================
HERE IS THE REMEDY TO THE PROBLEM
============================================================================
==========================================

unknown established TCP packet


Q:

I see the following messages over and over in my logs with a drop on rule 0: 

unknown established TCP packet 

A:

FireWall-1 has significantly changed how it deals with established TCP
connections. Whereas FireWall-1 versions prior to 4.1 SP2 used to try and
recover TCP connections for which it did not have a connections table
entry, it now simply drops these packets on the floor on rule 0 with this
error message. Earlier versions would also drop these packets and display
this message (or unknown reason code:12), but only after an attempt at
recovering the connection failed. In 4.1, you can revert to the old
behaviour by adding the following to $FWDIR/lib/fwui_head.def: 

#define ALLOW_NON_SYN_RULEBASE_MATCH 

You can disable logging of these packets in FireWall-1 4.1 base or 4.1 SP1
by commenting out the following line in $FWDIR/lib/fwui_head.def
(place two forward slashes '//' in front of the line). 

#define CLUSTER_RULEBASE_MATCH_LOG 

In FireWall-1 4.1 SP2 and later, you would comment out the following line
in $FWDIR/lib/fwui_head.def: 

#define NON_SYN_RULEBASE_MATCH_LOG 

If you see this message on a 4.0 installation, follow the instructions for
unknown reason code:12 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- Re: [FW1] Secure Shell ( ssh ) issue
  - From: Peter Goodridge <[email protected]>

Prev by Date: RE: [FW1] FW-1 Web Page blocking
Next by Date: [FW1] SecuRemote from behind MS Proxy server?
Previous by thread: Re: [FW1] Stonebeat and FW1/VPN 4.0 Operability
Next by thread: Re: [FW1] Secure Shell ( ssh ) issue
Index(es):
- Date
- Thread