Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] LinkProof, FW-1, and "unknown established TCP packet"s on SMTP

To: [email protected]
Subject: Re: [FW-1] LinkProof, FW-1, and "unknown established TCP packet"s on SMTP
From: Larry <[email protected]>
Date: Thu, 10 Jan 2002 06:36:24 -0800
In-reply-to: <2335F28384FC3241BCB30ADECBD2D490277482@cheeseball.external.osr.com>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

We have (happily) used LinkProofs for almost a year
without any SMTP issues. Our mail server has a static
NAT address for each T1 and we map URLs to local IP so
that inbound and outbound traffic is balanced.

When first installed SMTP worked with 2.16(?) but in
order for our VPNs to work we had to use the No NAT
feature found in 3.11 and higher. We are currently
running 3.30.03.

One difference from your setup is that we have private
addressing on the internal servers. If your config has
an actual address of 1.1.1.1 and you have it NATed to
1.1.1.1 on original ISP and 2.2.2.2 on new ISP then I
am not sure what will happen.

How long is your client aging time for SMTP? If the
response comes back after the LP has cleared the
connection it will pass the packet through without
un-NATing it and that could cause these messages.

Can you provide a layout of the IP subnets around the
LP and server (using sample addresses) as well as NAT
info?

--- "Peter G. Viscarola" <[email protected]> wrote:
> IP330 with FW-1 V4.1, SP5.
>
> For months we've been running this FW1 between a T1
> and our DMZ, which has a
> mail and a list server on it.  It's been running
> fine.
>
> Yesterday, we added another T1 (from a different
> ISP) and a LinkProof box
> (by RadWare) to load balance both incoming and
> outgoing traffic between the
> two T1s.  (The LinkProof box also NATs traffic from
> the new ISP's network
> address to the original ISPs network address, and
> sends it off to the FW1
> who then dutifully sends it on to our DMZ).  Our web
> server is working fine
> in this new configuration.
>
> Unfortunately, we're getting problems with SMTP
> packets, both incoming and
> outgoing, on both our mail and exchange server.  The
> problem is that many
> SMTP packets are dropped with "unknown established
> TCP packets".
>
> Many mail requests succeed.  About 20 a minute fail.
>  The problem is not
> confined to specific remote IP address, or outbound
> T1.  We're seeing errors
> for both incoming and outgoing mail.
>
> The folks who make the LinkProof are stumped, at
> least so far.
>
> Anybody have any ideas?  Seen this before?  Lacking
> that, anybody actually
> using a LinkProof to loadBalance SMTP traffic
> outside a firewall-1?
>
> Thanks,
>
> Peter
>
>

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] LinkProof, FW-1, and "unknown established TCP packet"s on SMTP
  - From: "Peter G. Viscarola" <[email protected]>

Prev by Date: Re: [FW-1] A little offtopic - ipchains
Next by Date: Re: [FW-1] SecuRemote and Cisco Pix
Previous by thread: [FW-1] LinkProof, FW-1, and "unknown established TCP packet"s on SMTP
Next by thread: [FW-1] AntiSpoofing
Index(es):
- Date
- Thread