[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Secure Shell ( ssh ) issue
Hi Rich,
My ssh sessions over SecuRemote are lost if I leave
them idle for a while. I didn't apply the fix,
because it's not clear what the fix does to your
security.
A workaround is just to leave top, or some other app
that does screen refreshes running.
HTH,
Pete Goodridge
--- Rich Quinn <[email protected]> wrote:
>
> Hi,
>
> We are running FW-1 4.1 SP 2 on a Nokia 330. We
> have a problem with our
> users losing their ssh sessions when ssh'ing in to a
> server behind the
> firewall. Usually their session just freezes up
> and they have to start over.
>
> I looked in the logs and found this error: unknown
> established TCP packet
>
> So I did a search on phoneboy.com and found what
> seems to be a remedy for
> this problem (posted at the bottom).
>
> My question is this: Has anyone else had similar
> issues with
> secureshell and FW1? If so, did this remedy help
> you? I would normally
> search the archives for this sort of thing, but I
> don't think that this
> mailing list has a searchable archive that I am
> aware of.
>
> Thanks,
>
>
> Rich
>
>
>
>
============================================================================
> ==========================================
> HERE IS THE REMEDY TO THE PROBLEM
>
============================================================================
> ==========================================
>
> unknown established TCP packet
>
>
> Q:
>
> I see the following messages over and over in my
> logs with a drop on rule 0:
>
> unknown established TCP packet
>
> A:
>
> FireWall-1 has significantly changed how it deals
> with established TCP
> connections. Whereas FireWall-1 versions prior to
> 4.1 SP2 used to try and
> recover TCP connections for which it did not have a
> connections table
> entry, it now simply drops these packets on the
> floor on rule 0 with this
> error message. Earlier versions would also drop
> these packets and display
> this message (or unknown reason code:12), but only
> after an attempt at
> recovering the connection failed. In 4.1, you can
> revert to the old
> behaviour by adding the following to
> $FWDIR/lib/fwui_head.def:
>
> #define ALLOW_NON_SYN_RULEBASE_MATCH
>
> You can disable logging of these packets in
> FireWall-1 4.1 base or 4.1 SP1
> by commenting out the following line in
> $FWDIR/lib/fwui_head.def
> (place two forward slashes '//' in front of the
> line).
>
> #define CLUSTER_RULEBASE_MATCH_LOG
>
> In FireWall-1 4.1 SP2 and later, you would comment
> out the following line
> in $FWDIR/lib/fwui_head.def:
>
> #define NON_SYN_RULEBASE_MATCH_LOG
>
> If you see this message on a 4.0 installation,
> follow the instructions for
> unknown reason code:12
>
>
>
>
================================================================================
> To unsubscribe from this mailing list, please
> see the instructions at
>
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================