[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Unknown established TCP packet
Hi, depending on the OS FW-1 is running on it is possible to set this timeout to be the same as given in the firewall properties. I should have somewhere a note on how to do that on solaris. However you also could change the tcp keepalive values of the servers/ clients which are trying to connect using the firewall. Josef > -----Original Message----- > From: Felicetti, Stephen A. [SMTP:[email protected]] > Sent: Friday, May 25, 2001 3:15 PM > To: 'Hartmann, Josef'; [email protected]; > [email protected] > Subject: RE: [FW1] Unknown established TCP packet > > ....and it's that 60s that I can't get an answer out of anyone (my support > people) on how to increase it. > I had connections drop for only a few applications, and the only thing I > can > attribute it to is this initial, short timeout. > > BTW, the fix on phoneboy did 'bandaid' the problem. > > -----Original Message----- > From: Hartmann, Josef [mailto:[email protected]] > Sent: Thursday, May 24, 2001 3:16 PM > To: [email protected]; > [email protected] > Subject: RE: [FW1] Unknown established TCP packet > > > > Hi, > > TCP keep alive packets reset the timer. So if TCP keep alive timers of > servers/clients communicaating through the firewall are set to lesser than > the firewall's timeout, a connection shouldn't timeout. > > Regarding your log you should rather provide us with the network traces > itself AND the firewall log. > > If you go for reading Lance' paper more exactly you will recongnize that > there's another timeout (60s) since 4.1SP2 or SP3 after the SYN, SYN/ACK, > ACK. > > > Josef > > > -----Original Message----- > > From: [email protected] > > [SMTP:[email protected]] > > Sent: Wednesday, May 23, 2001 8:43 AM > > To: [email protected] > > Subject: [FW1] Unknown established TCP packet > > > > > > Hello, > > > > I have had problems with this new feature on FW-1 4.1 SP3 (Linux). > > As far as I have learnt from Lance Spitzner, Phoneboy and this list > > it is supposed to drop non-syn packets that are not an established > > connection as far as the firewall is concerned (part state table). > > > > This causes some problems. Client/Server applications using database > > platforms like Oracle will have to reconnect, but will not work after > > reconnection > > properly because of cursors (pointers). > > > > Is it possible or recommendable to increase the TCP timeout beyond TCP > > keepalive. And is TCP keepalive among the packets that will reset the > > timeout timer of the state tables? Unless I do so I will have to disable > > Checkpoints new feature. > > > > Also, there seem to be bugs in the implementation of this feature, at > > least > > > > as far as the Linux version is concerned. > > > > Just look at this log export: > > > > "11435" "21May2001" "13:36:45" "eth2" "localhost" "log" "accept" > > "924" > > "nille.abcde.xy" "ulysses.abcde.xy" "tcp" "3" "930" "" "" "" "" > > "" > > "" "" "" "" "firewall" " len 48" > > > > The line says that TCP port 924 source port 930 is accepted. Then less > > than > > three minutes later: > > > > "11532" "21May2001" "13:39:01" "eth2" "localhost" "log" "drop" > > "924" > > "nille.abcde.xy" "ulysses.abcde.xy" "tcp" "0" "930" "" "" "" "" > > "" > > "" "" "" "" "firewall" " reason: unknown established TCP packet" > > > > Packet with same TCP port and source port is dropped due to the "fact" > > that > > > > is is not part of an established connection. I cannot see what I have > done > > to make this happen. To me it looks like nothing less than a bug. > > > > > > Gandalf. > > > > > > _______________________________________________________________________ > > Get your free @pakistanmail.com email address http://pakistanmail.com > > > > > > > ========================================================================== > > ====== > > To unsubscribe from this mailing list, please see the instructions > at > > http://www.checkpoint.com/services/mailing.html > > > ========================================================================== > > ====== > > > ========================================================================== > == > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ========================================================================== > == > ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|