Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Unknown established TCP packet

To: "'Felicetti, Stephen A.'" <[email protected]>, "Hartmann, Josef" <[email protected]>, [email protected], [email protected]
Subject: RE: [FW1] Unknown established TCP packet
From: "Hartmann, Josef" <[email protected]>
Date: Mon, 28 May 2001 09:59:42 +0200
Sender: [email protected]

Hi,

depending on the OS FW-1 is running on it is possible to set this timeout to
be the same as given in the firewall properties.
I should have somewhere a note on how to do that on solaris.

However you also could change the tcp keepalive values of the servers/
clients which are trying to connect using the firewall.


Josef

> -----Original Message-----
> From:	Felicetti, Stephen A. [SMTP:[email protected]]
> Sent:	Friday, May 25, 2001 3:15 PM
> To:	'Hartmann, Josef'; [email protected];
> [email protected]
> Subject:	RE: [FW1] Unknown established TCP packet
> 
> ....and it's that 60s that I can't get an answer out of anyone (my support
> people) on how to increase it.
> I had connections drop for only a few applications, and the only thing I
> can
> attribute it to is this initial, short timeout.
> 
> BTW, the fix on phoneboy did 'bandaid' the problem.
> 
> -----Original Message-----
> From: Hartmann, Josef [mailto:[email protected]]
> Sent: Thursday, May 24, 2001 3:16 PM
> To: [email protected];
> [email protected]
> Subject: RE: [FW1] Unknown established TCP packet
> 
> 
> 
> Hi,
> 
> TCP keep alive packets reset the timer. So if TCP keep alive timers of
> servers/clients communicaating through the firewall are set to lesser than
> the firewall's timeout, a connection shouldn't timeout.
> 
> Regarding your log you should rather provide us with the network traces
> itself AND the firewall log.
> 
> If you go for reading Lance' paper more exactly you will recongnize that
> there's another timeout (60s) since 4.1SP2 or SP3 after the SYN, SYN/ACK,
> ACK.
> 
> 
> Josef
> 
> > -----Original Message-----
> > From:	[email protected]
> > [SMTP:[email protected]]
> > Sent:	Wednesday, May 23, 2001 8:43 AM
> > To:	[email protected]
> > Subject:	[FW1] Unknown established TCP packet
> > 
> > 
> > Hello,
> > 
> > I have had problems with this new feature on FW-1 4.1 SP3 (Linux).
> > As far as I have learnt from Lance Spitzner, Phoneboy and this list
> > it is supposed to drop non-syn packets that are not an established
> > connection as far as the firewall is concerned (part state table).
> > 
> > This causes some problems. Client/Server applications using database
> > platforms like Oracle will have to reconnect, but will not work after
> > reconnection
> > properly because of cursors (pointers).
> > 
> > Is it possible or recommendable to increase the TCP timeout beyond TCP
> > keepalive. And is TCP keepalive among the packets that will reset the
> > timeout timer of the state tables? Unless I do so I will have to disable
> > Checkpoints new feature.
> > 
> > Also, there seem to be bugs in the implementation of this feature, at
> > least
> > 
> > as far as the Linux version is concerned.
> > 
> > Just look at this log export:
> > 
> > "11435"  "21May2001"  "13:36:45"  "eth2"  "localhost"  "log"  "accept"
> > "924"
> >  "nille.abcde.xy"  "ulysses.abcde.xy"  "tcp"  "3"  "930"  ""  ""  ""  ""
> > ""
> >  ""  ""  ""  ""  "firewall"  " len 48"  
> > 
> > The line says that TCP port 924 source port 930 is accepted. Then less
> > than
> > three minutes later:
> > 
> > "11532"  "21May2001"  "13:39:01"  "eth2"  "localhost"  "log"  "drop"
> > "924"
> >  "nille.abcde.xy"  "ulysses.abcde.xy"  "tcp"  "0"  "930"  ""  ""  ""  ""
> > ""
> >  ""  ""  ""  ""  "firewall"  " reason: unknown established TCP packet"  
> > 
> > Packet with same TCP port and source port is dropped due to the "fact"
> > that
> > 
> > is is not part of an established connection. I cannot see what I have
> done
> > to make this happen. To me it looks like nothing less than a bug.
> > 
> > 
> > Gandalf.
> > 
> > 
> > _______________________________________________________________________
> > Get your free @pakistanmail.com email address   http://pakistanmail.com
> > 
> > 
> >
> ==========================================================================
> > ======
> >      To unsubscribe from this mailing list, please see the instructions
> at
> >                http://www.checkpoint.com/services/mailing.html
> >
> ==========================================================================
> > ======
> 
> 
> ==========================================================================
> ==
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ==
> ====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Has anyone got Exchange 2000 working through FW-1
Next by Date: RE: [FW1] log file headers
Previous by thread: Re[2]: [FW1] Unknown established TCP packet
Next by thread: [FW1] Strange problems,
Index(es):
- Date
- Thread