|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Unknown established TCP packet
Hi, I have brought this subject up several times and after experiencing problems again with this error-message I would like to find out what's going on here. I hope someone can add something usefull in this discussion and hopefully it becomes clear why this is happening and what can be done to prevent it from happening again. I'd one happy FW admin.. ;-)) I have experienced problems with this with two different setup's. First setup was a Nokia IP440 running IPSO 3.4 FW-1 SP 4 and the second setup was a Nokia IP530 loaded with IPSO 3.3 FW-1 4.1 SP 3. In both occasions I have disabled Flows (through the 'ipsofwd slowpath' command and editing the fwstart and rc.fwload scripts. Only in the IP530 setup I have tried to un-comment the line #define ALLOW_NON_SYN_RULEBASE_MATCH in $FWDIR/lib/fwui_head.def, but unfortunately to no avail.. The connections affected by this error are all tcp-protocols like http, ssh and database traffic. SSH and database-traffic (to Informix-dbases on port 1526) are affected with user-impact. Connections drop and database queries seem to freeze up.. The effects on http-traffic a little bit less evident, but clearly visible in the log as affected. Traffic is originated from different subnets and from behind different interfaces. I have connected three interface as internal and one to the Internet which works as external (quite naturally). As it affects almost all tcp-protocols I doubt that it is something application specific. I also rule out any network-problems. All links to the firewall are either 100 Mbit / FD or 10 Mbit/ HD correctly configured on both sides.. I have no problems running either IPSO 3.2.1 with FW-1 4.1 SP 1 or Solaris 7 running FW-1 4.1 SP 2.... If theory is right and it is the Non-ACK setting that is not applicable in SP 1 than it would be clear that it works on IPSO 3.2.1 with SP 1. But why do I have no problems with a Solaris 7 and SP 2 setup?? I checked the $FWDIR/lib/fwui_head.def file on this system and I can't find the #define ALLOW_NON_SYN_RULEBASE_MATCH line at all.. So to me it should say that the Non-ACK check is present in the software (it's not explicitly uncommented..) and therefore I also should have had problems with the Solaris config, which I haven't... This leads me to believe there's something wrong with the Flows mechanism and the Non-ACK check in IPSO.. But then again, I have disabled Flows in both setups, so why does the error still pops up??? As said, I have followed steps advised in Nokia Knowledge Base resolutions 3317 (which handles the specific log error incl. the line in $FWDIR/lib/fwui_head.def) and 4188 (disabling Flows). The nearest resolution which might be describing this problem is 5034, but this mentions the drops of connections in a HA/VRRP-config, which I don't use.. So to me, it isn't applicable. As also said, those workarounds do not work.. Am I forgetting something?? Do I need to upgrade?? The latter seems unrealistic to me as the newest release notes for IPSO (3.4.1) and FW-1-version (4.1 SP5 incl. hotfix) do not mention any fixes for either problem.. I hope someone can help me.. Greetz, Nils Kolstein Internetworking Engineer ICT Access Services Planet Media Group E-mail: [email protected] tel: (+31)fax: (+31)=============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
