[FW-1] SYN packet for established connection -- message in NG log -- what does it mean?

["Grabowski, David" <david.grabowski@FW1-NOSPAMUS.MIZUHO-SC.COM>]

Our environment includes a bunch of IP440's managed by a W2K-based
management station. All machines are running freshly installed copies of
NG FP1.

A nagging problem is with dropped packets that appear in the logs. There
is NO rule number associated with the drop, and the "Info" field
includes the text:

"th_flags 2 message_info SYN packet for established connection"

Note that this only occurs for a particular type of traffic (TCP, source
port varies but is usually 8198 or 8199, destination of 8194) for a
particular applicetion.

We have an open case with Nokia on this issue -- they have not yet come
up with an explanation as to what this message means. My best guess is
that the firewalls are dropping the packet because it is attempting to
establish a TCP connection that is identical to a connection that
already exists in the connections table. To ensure that this was not the
case, we bounced all the firewalls to clear their connections table
(yes, I know there are other ways to do this). Needless to say, as soon
as the firewalls came back online, they started dropping the traffic
again.

Any ideas?

---------------------------------------------------
David Grabowski
Fuji Securities, Equities Division=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================