NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] IP650 crashing / FIN_WAIT_1



Title: RE: [FW1] IP650 crashing / FIN_WAIT_1
Well, the http requests are coming from the auction site to us, someone else speculated it may be code red and I suppose that's possible.  Thanks a lot for those KB articles, we'll probably try that patch as it seems to describe our problem exactly.

Thanks again!

Jeff Jarmoc - CCSA, CCNA, MCSE
Network Analyst - Grubb & Ellis

 

-----Original Message-----
From: Dan Hitchcock [mailto:[email protected]]
Sent: Wednesday, August 08, 2001 11:57 AM
To: Jarmoc, Jeff; [email protected]
Cc: Kirschner, Brian
Subject: RE: [FW1] IP650 crashing / FIN_WAIT_1

These are state sync errors, and Check Point has released a patch for IPSO; Nokia also has a modzap that addresses the problem.  See Nokia KB articles 6027 and 1578.

This doesn't address the question of why your firewall is generating http requests to some auction site.  You may wish to investigate that further...

HTH

Dan Hitchcock
CCNP, CCSE, MCSE
Security Analyst
Breakwater Security Associates, Inc.
"Safe Harbor for E-Business"
dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com
work



-----Original Message-----
From: Jarmoc, Jeff [mailto:[email protected]]
Sent: Monday, August 06, 2001 11:43 AM
To: [email protected]
Cc: Kirschner, Brian
Subject: [FW1] IP650 crashing / FIN_WAIT_1



        I'm hoping someone out there can help me.  I'm running an IP650 with
IPSO 3.3 and FW-1 SP3.  Occasionally, the firewall begins dropping packets,
and then shortly after crashes, to the point where we can't even console
into it.  This morning, as it was occuring I noticed some interesting
things.
        Just prior to the crash, and ever since, I'm receiving the following
messages quite often via syslog;
                Aug  6 11:14:41 <firewall_name_removed> [LOG_CRIT] kernel:
FW-1: Warning: modify for a new entry:
                Aug  6 11:14:41 <firewall_name_removed> [LOG_CRIT] kernel:
<c0a82e01,a1,c0a82e1d,0,11;0,4000,0> <0 : =0 22>
At first they appeared to be logging randomly, but now it's every five
minutes.
        Also, I ran an fwinfo just prior to the crash, during the packet
loss, and I noticed several (thousands) entries in the netstat -na section
similar to the following;
tcp        0    362  <firewall_IP_removed>.1571    63.209.5.150.80
FIN_WAIT_1
tcp        0    334  <firewall_IP_removed>.1572    63.209.5.150.80
FIN_WAIT_1
tcp        0    417  <firewall_IP_removed>.1573    63.209.5.150.80
FIN_WAIT_1
tcp        0    406  <firewall_IP_removed>.1574    63.209.5.150.80
FIN_WAIT_1
tcp        0    285  <firewall_IP_removed>.1575    63.209.5.140.80
FIN_WAIT_1
tcp        0    385  <firewall_IP_removed>.1577    63.209.5.150.80
FIN_WAIT_1
63.209.5.140 resolves to part of honesty.com, which provides some internet
auction services such as counters and things.

        My first thought was that this was some sort of DOS, but given the
source, I doubt it's intentional.  Does anyone have any ideas?

Thanks in advance!

Jeff Jarmoc - CCSA, CCNA, MCSE
Network Analyst - Grubb & Ellis

          *********Internet Email Confidentiality Footer*********
This Message may include Confidential Information.  DISSEMINATION,
DISTRIBUTION OR COPYING OF THIS COMMUNICATION by anyone other than the
intended addressee IS PROHIBITED. If you are not the intended addressee of
this message (or responsible for delivery of the message to the addressee),
please destroy this message and kindly notify the sender by reply email.
Thank You


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

*********Internet Email Confidentiality Footer********* This Message may include Confidential Information. DISSEMINATION, DISTRIBUTION OR COPYING OF THIS COMMUNICATION by anyone other than the intended addressee IS PROHIBITED. If you are not the intended addressee of this message (or responsible for delivery of the message to the addressee), please destroy this message and kindly notify the sender by reply email. Thank You



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.