NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] SYNDefender / Unknown Established TCP packet




Hello,

Firstly, I must apologise for starting yet another "Unknown Established" (UETP) thread, but I could not find specific mention of my particular behaviour in the archives.

IPSO 3.3, FW-1 SP3, IP440s in an HA config, Active/Backup

With SYNDefender off, I get expected behaviour with regards to UETP drops, and have verified them with sniffs to ensure that the firewall is behaving correctly.  This seems to happen when both the local machine and the remote machine issue a FIN, and they both ACK the FIN, so the connection is closed, and then a minute later the remote machine issues an RST on the closed connection.  I am presuming this is because an ACK went astray.

With SYNDefender in Gateway mode, strange things happen.

This is the behaviour seen from a sniff outside of the firewall, and so is as seen by the remote instigater of the connection

The remote issues a SYN
The local issues a SYN ACK
The remote issues an ACK

This all happens within 10 secs (the SYND timeout as set) so the handshake is complete right?  But no:

The local issues another SYN ACK
The remote issues another ACK

This repeats a few times.  Meanwhile, in the log, SYNDefender pipes up and says the connection has timed out, which is right in a sense, as the firewall doesn't appear to see that the connection is established.

Then the remote seems to tire of all this, and issues a series of FIN ACKs.  One for each of the SYN ACKS.  This appears to correspond with the UETP appearing in the log.

I get this behaviour with flows on and off.

Does any one have any insight into what is transpiring here?

Cheers,

Paul.



---------------------------------------------------------------------------------------------------------------------------
CRESTCo Ltd.             The views expressed above are not necessarily those
33 Cannon Street.        held by CRESTCo Limited.
London  EC4M 5SB (UK)      
+44 (020) 7849 0000     http://www.crestco.co.uk 
---------------------------------------------------------------------------------------------------------------------------


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.