These are state sync errors, and Check Point has released a
patch for IPSO; Nokia also has a modzap that addresses the problem. See
Nokia KB articles 6027 and 1578.
This doesn't address the question of why your firewall is
generating http requests to some auction site. You may wish to
investigate that further...
HTH
Dan Hitchcock
CCNP, CCSE, MCSE
Security Analyst
Breakwater Security
Associates, Inc.
"Safe Harbor for E-Business"
dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com
work
-----Original Message-----
From:
Jarmoc, Jeff [mailto:[email protected]]
Sent: Monday, August 06, 2001 11:43 AM
To: [email protected]
Cc: Kirschner, Brian
Subject: [FW1] IP650
crashing / FIN_WAIT_1
I'm hoping someone
out there can help me. I'm running an IP650 with
IPSO 3.3 and FW-1 SP3. Occasionally, the firewall begins dropping
packets,
and then shortly after crashes, to the point
where we can't even console
into it. This
morning, as it was occuring I noticed some interesting
things.
Just prior to the crash, and ever since, I'm receiving the
following
messages quite often via syslog;
Aug 6 11:14:41
<firewall_name_removed> [LOG_CRIT] kernel:
FW-1:
Warning: modify for a new entry:
Aug 6 11:14:41
<firewall_name_removed> [LOG_CRIT] kernel:
<c0a82e01,a1,c0a82e1d,0,11;0,4000,0> <0 : =0 22>
At first they appeared to be logging randomly, but now it's
every five
minutes.
Also, I ran an
fwinfo just prior to the crash, during the packet
loss, and I noticed several (thousands) entries in the netstat -na
section
similar to the following;
tcp 0
362 <firewall_IP_removed>.1571
63.209.5.150.80
FIN_WAIT_1
tcp 0
334 <firewall_IP_removed>.1572
63.209.5.150.80
FIN_WAIT_1
tcp 0
417 <firewall_IP_removed>.1573
63.209.5.150.80
FIN_WAIT_1
tcp 0
406 <firewall_IP_removed>.1574
63.209.5.150.80
FIN_WAIT_1
tcp 0
285 <firewall_IP_removed>.1575
63.209.5.140.80
FIN_WAIT_1
tcp 0
385 <firewall_IP_removed>.1577
63.209.5.150.80
FIN_WAIT_1
63.209.5.140 resolves to part of honesty.com, which provides some
internet
auction services such as counters and
things.
My first thought
was that this was some sort of DOS, but given the
source, I doubt it's intentional. Does anyone have any
ideas?
Thanks in advance!
Jeff Jarmoc - CCSA, CCNA, MCSE
Network
Analyst - Grubb & Ellis
*********Internet Email Confidentiality Footer*********
This Message may include Confidential Information.
DISSEMINATION,
DISTRIBUTION OR COPYING OF THIS
COMMUNICATION by anyone other than the
intended
addressee IS PROHIBITED. If you are not the intended addressee of
this message (or responsible for delivery of the message to
the addressee),
please destroy this message and kindly
notify the sender by reply email.
Thank You
================================================================================
To unsubscribe from this mailing
list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================