[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] unknown established TCP packet.. again
Hello.
Since yesterday, I'm having problems with
packets being dropped by rule 0 with the "unknown established TCP packet"
error.
In the
moment I started getting that errors, I was adding VPN support for my
users, with Entrust 4.0 integrated authentification.
Here is a little sketch of my
network:
INTERNET
|
.---^---.
| MY FW |
'---.---'
|
----.-----^----------.--------------------
|
|
.---^--. .----^---.
.------.
|SERVER| |OTHER
FW| |CLIENT|
'------'
'----.---' '---.--'
|
|
------^-------------^------
When the client connect to my firewall, he
just passes by the other firewall, but when the server makes his reply, it
passes by my firewall, as it's its default route. The firewall, then,
drops the packet with the error in the subject.
I suppose the firewall drops the packets as
he sees an ACK for a packet he doesn't now, but... why did it start to happen
yesterday?
As I've seen in the Phoneboy FAQs ( http://www.phoneboy.com/faq/0408.html ), that's a default behavior for FW-1 4.1 with SP2, but mine has SP1, so I've not changed "wui_head.def" as it states. I've tried adding a direct route from the
server to the clients so they pass through the other firewall, and it has solved
the problem, but I don't like having to change the routing table of every server
in my network.
Is there some kind of relationship between
VPN configuration and that behavior?
If now, can anybody think where can the
problem be? I'm completly lost that time.
Thanks in advance,
Javier Prieto Martínez
|