[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE [FW1] Unknown established tcp packet
Hi Nokia reports that as e problem with their last IPSO version end the new feature called fastpath wich is enabled by default. The way to fix that for now is to disable fastpath in IPSO Nokia has a resolution on their support site https://support.nokia.com/knowledge/frmResolutionView.jsp?ResolutionId=5034 It says... TCP sessions being dropped on IPSO 3.3 and FireWall-1 4.1 SP2/SP3 This issue only appears to crop up when the following is true: 1. IPSO 3.3 2. FireWall-1 4.1 SP2 or SP3 3. Flows is enabled (it is by default) 4. The connection in question has continuous traffic. Part of this problem comes from how FireWall-1 interacts with the Flows feature. Flows moves the packets through the OS without involving FireWall-1, so FireWall-1 doesn't "reset" the timer value for the entry in the connections table. When the connection is about to expire, FireWall-1 queries IPSO to see how long it has been since it has seen a packet on the connection. If there is traffic on the connection at the exact second that FireWall-1 decides to try and "refresh" the connection table entry, the entry and the corresponding flows get deleted. Nokia Customer Support has been able to reproduce this problem and has escalated it to Check Point. Updates to this issue will be placed here. In the meantime, you can work around this problem by disabling flows per Resolution 4188. Which says: How do I disable firewall flows in IPSO 3.3 and later? Firewall Flows is designed to increase performance of FireWall-1 on the Nokia Platform. However, there may be reasons why you would want to disable it. To temporarily disable it, one can issue the command: ipsofwd slowpath This also clears the flows tables. To re-enable it, use the command: ipsofwd flowpath However, it may also be desirable to disable it permanently. This must be done by modifying $FWDIR/etc/rc/rc.fwload. Replace the "bolded" flowpath in the following section with slowpath: ipsctl -n net:ip:forward:available_modes | grep -q -s flowpath if ($status == 0) then ipsctl -w net:ip:forward:switch_mode flowpath else echo "FireWall-1: You are attempting to start the FW on an incompatible OS - exiting" >>& $LOGDIR/fw.log exit 1 endif You also need to modify $FWDIR/bin/fwstart. Replace the "bolded" flowpath in the following section with slowpath: if ($ipso) then # enable flows, if available. Don't need check because it is already checked! ipsofwd flowpath (cd $FW_BOOT_DIR/modules ; modload -v -A $KERNEL_IS -e fw1_init -p fw.mkdev -o fwmod fwmod.o) if ($status) then echo "FW-1: modload failed" exit 1 endif fw putlic -k FireWall-1 must be re-started for this change to take effect. Once you have done that, you can not use the ipsofwd command to re-enable flows. Hope this solves your problem Ronny Zellhann Skanova AB ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|