NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Unknown established TCP packet



....and it's that 60s that I can't get an answer out of anyone (my support
people) on how to increase it.
I had connections drop for only a few applications, and the only thing I can
attribute it to is this initial, short timeout.

BTW, the fix on phoneboy did 'bandaid' the problem.

-----Original Message-----
From: Hartmann, Josef [mailto:[email protected]]
Sent: Thursday, May 24, 2001 3:16 PM
To: [email protected];
[email protected]
Subject: RE: [FW1] Unknown established TCP packet



Hi,

TCP keep alive packets reset the timer. So if TCP keep alive timers of
servers/clients communicaating through the firewall are set to lesser than
the firewall's timeout, a connection shouldn't timeout.

Regarding your log you should rather provide us with the network traces
itself AND the firewall log.

If you go for reading Lance' paper more exactly you will recongnize that
there's another timeout (60s) since 4.1SP2 or SP3 after the SYN, SYN/ACK,
ACK.


Josef

> -----Original Message-----
> From:	[email protected]
> [SMTP:[email protected]]
> Sent:	Wednesday, May 23, 2001 8:43 AM
> To:	[email protected]
> Subject:	[FW1] Unknown established TCP packet
> 
> 
> Hello,
> 
> I have had problems with this new feature on FW-1 4.1 SP3 (Linux).
> As far as I have learnt from Lance Spitzner, Phoneboy and this list
> it is supposed to drop non-syn packets that are not an established
> connection as far as the firewall is concerned (part state table).
> 
> This causes some problems. Client/Server applications using database
> platforms like Oracle will have to reconnect, but will not work after
> reconnection
> properly because of cursors (pointers).
> 
> Is it possible or recommendable to increase the TCP timeout beyond TCP
> keepalive. And is TCP keepalive among the packets that will reset the
> timeout timer of the state tables? Unless I do so I will have to disable
> Checkpoints new feature.
> 
> Also, there seem to be bugs in the implementation of this feature, at
> least
> 
> as far as the Linux version is concerned.
> 
> Just look at this log export:
> 
> "11435"  "21May2001"  "13:36:45"  "eth2"  "localhost"  "log"  "accept"
> "924"
>  "nille.abcde.xy"  "ulysses.abcde.xy"  "tcp"  "3"  "930"  ""  ""  ""  ""
> ""
>  ""  ""  ""  ""  "firewall"  " len 48"  
> 
> The line says that TCP port 924 source port 930 is accepted. Then less
> than
> three minutes later:
> 
> "11532"  "21May2001"  "13:39:01"  "eth2"  "localhost"  "log"  "drop"
> "924"
>  "nille.abcde.xy"  "ulysses.abcde.xy"  "tcp"  "0"  "930"  ""  ""  ""  ""
> ""
>  ""  ""  ""  ""  "firewall"  " reason: unknown established TCP packet"  
> 
> Packet with same TCP port and source port is dropped due to the "fact"
> that
> 
> is is not part of an established connection. I cannot see what I have done
> to make this happen. To me it looks like nothing less than a bug.
> 
> 
> Gandalf.
> 
> 
> _______________________________________________________________________
> Get your free @pakistanmail.com email address   http://pakistanmail.com
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.