NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SYN packet for established connection -- message in NG log -- what does it mean?


  • To: [email protected]
  • Subject: Re: [FW-1] SYN packet for established connection -- message in NG log -- what does it mean?
  • From: "Grabowski, David" <[email protected]>
  • Date: Fri, 5 Apr 2002 12:11:50 -0500
  • Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
  • Sender: Mailing list for discussion of Firewall-1 <[email protected]>
  • Thread-index: AcG/sg01yjWAZUemRMKolCL2flf6tQdDegqQ
  • Thread-topic: SYN packet for established connection -- message in NG log -- what does it mean?

This is a follow-up to my original posting. I solved the problem,
although the solution is, in my opinion, not an ideal one, since it
alters a default behavior of FW-1. A number of people have replied to me
off-line asking if the issue was solved. It's best to post a summary
here.

First, a bit of what I've learned about the FW-1 state table:

- An established TCP session will, by default, have a lifetime of 3600
seconds in the connections table. Every packet that traverses the
session will re-set the timer. Note that the lifetime is configurable
for each service in NG.

- After a session is closed (via FIN or RST packets), it enters a
"half-closed" state in FW-1. It remains in the connections table, but
its lifetime is reduced to 50 seconds. Note that this lifetime is a
global setting (tcpendtimeout)

- If a new connection is attempted (a SYN packet) that matches the
"half-closed" connection (meaning same source and destination IP's and
ports), it is dropped by the firewall as "SYN packet for established
connection" (even though the connection is no longer 'established'), and
the timer is re-set to 50 seconds.

The application that I am using uses statically-coded source ports for
its communications. This was done to allow the product to work with
non-stateful firewalls. Obviously, that's really not an issue anymore,
and the vendor is now planning to re-code their software to use dynamic
source ports.

The problem arises from the fact that the application will frequently
close connections, and then in less than 50 seconds, it will open them
again.

The "solution" was to decrease the default timer for half-closed
connections (tcpendtimeout) to a much smaller value -- 10 seconds. So
far, we haven't run into any problems with the application since the
change.

This does leave the potential for sessions to not properly close, but
for the most part, I think that the likelihood of a session taking more
than 10 seconds to close is relatively small.

For info on how to change the 'tcpendtimeout' parameter in NG, see the
knowledgebase. You need to use the 'dbedit' utility on your management
station.

-Dave

-----Original Message-----
From: Grabowski, David
Sent: Wednesday, February 27, 2002 12:13 PM
To: [email protected]
Subject: [FW-1] SYN packet for established connection -- message in NG
log -- what does it mean?


Our environment includes a bunch of IP440's managed by a W2K-based
management station. All machines are running freshly installed copies of
NG FP1.

A nagging problem is with dropped packets that appear in the logs. There
is NO rule number associated with the drop, and the "Info" field
includes the text:

"th_flags 2 message_info SYN packet for established connection"

Note that this only occurs for a particular type of traffic (TCP, source
port varies but is usually 8198 or 8199, destination of 8194) for a
particular applicetion.

We have an open case with Nokia on this issue -- they have not yet come
up with an explanation as to what this message means. My best guess is
that the firewalls are dropping the packet because it is attempting to
establish a TCP connection that is identical to a connection that
already exists in the connections table. To ensure that this was not the
case, we bounced all the firewalls to clear their connections table
(yes, I know there are other ways to do this). Needless to say, as soon
as the firewalls came back online, they started dropping the traffic
again.

Any ideas?

---------------------------------------------------
David Grabowski
Fuji Securities, Equities Division=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
#####################################################################################
CONFIDENTIAL: This e-mail, including its contents and attachments, if any, are confidential. It is neither an offer to buy or sell, nor a solicitation of an offer to buy or sell, any securities or any related financial instruments mentioned in it. If you are not the named recipient please notify the sender and immediately delete it. You may not disseminate, distribute, or forward this e-mail message or disclose its contents to anybody else. Unless otherwise indicated, copyright and any other intellectual property rights in its contents are the sole property of Mizuho Securities USA Inc.
     E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission.  If verification is required please request a hard-copy version.
     Although we routinely screen for viruses, addressees should check this e-mail and any attachments for viruses. We make no representation or warranty as to the absence of viruses in this e-mail or any attachments. Please note that to ensure regulatory compliance and for the protection of our customers and business, we may monitor and read e-mails sent to and from our server(s).
#####################################################################################

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.