[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SYN packet for established connection -- message in NG log -- what does it mean?
This is a follow-up to my original posting. I solved the problem, although the solution is, in my opinion, not an ideal one, since it alters a default behavior of FW-1. A number of people have replied to me off-line asking if the issue was solved. It's best to post a summary here. First, a bit of what I've learned about the FW-1 state table: - An established TCP session will, by default, have a lifetime of 3600 seconds in the connections table. Every packet that traverses the session will re-set the timer. Note that the lifetime is configurable for each service in NG. - After a session is closed (via FIN or RST packets), it enters a "half-closed" state in FW-1. It remains in the connections table, but its lifetime is reduced to 50 seconds. Note that this lifetime is a global setting (tcpendtimeout) - If a new connection is attempted (a SYN packet) that matches the "half-closed" connection (meaning same source and destination IP's and ports), it is dropped by the firewall as "SYN packet for established connection" (even though the connection is no longer 'established'), and the timer is re-set to 50 seconds. The application that I am using uses statically-coded source ports for its communications. This was done to allow the product to work with non-stateful firewalls. Obviously, that's really not an issue anymore, and the vendor is now planning to re-code their software to use dynamic source ports. The problem arises from the fact that the application will frequently close connections, and then in less than 50 seconds, it will open them again. The "solution" was to decrease the default timer for half-closed connections (tcpendtimeout) to a much smaller value -- 10 seconds. So far, we haven't run into any problems with the application since the change. This does leave the potential for sessions to not properly close, but for the most part, I think that the likelihood of a session taking more than 10 seconds to close is relatively small. For info on how to change the 'tcpendtimeout' parameter in NG, see the knowledgebase. You need to use the 'dbedit' utility on your management station. -Dave -----Original Message----- From: Grabowski, David Sent: Wednesday, February 27, 2002 12:13 PM To: [email protected] Subject: [FW-1] SYN packet for established connection -- message in NG log -- what does it mean? Our environment includes a bunch of IP440's managed by a W2K-based management station. All machines are running freshly installed copies of NG FP1. A nagging problem is with dropped packets that appear in the logs. There is NO rule number associated with the drop, and the "Info" field includes the text: "th_flags 2 message_info SYN packet for established connection" Note that this only occurs for a particular type of traffic (TCP, source port varies but is usually 8198 or 8199, destination of 8194) for a particular applicetion. We have an open case with Nokia on this issue -- they have not yet come up with an explanation as to what this message means. My best guess is that the firewalls are dropping the packet because it is attempting to establish a TCP connection that is identical to a connection that already exists in the connections table. To ensure that this was not the case, we bounced all the firewalls to clear their connections table (yes, I know there are other ways to do this). Needless to say, as soon as the firewalls came back online, they started dropping the traffic again. Any ideas? --------------------------------------------------- David Grabowski Fuji Securities, Equities Division================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ##################################################################################### CONFIDENTIAL: This e-mail, including its contents and attachments, if any, are confidential. It is neither an offer to buy or sell, nor a solicitation of an offer to buy or sell, any securities or any related financial instruments mentioned in it. If you are not the named recipient please notify the sender and immediately delete it. You may not disseminate, distribute, or forward this e-mail message or disclose its contents to anybody else. Unless otherwise indicated, copyright and any other intellectual property rights in its contents are the sole property of Mizuho Securities USA Inc. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Although we routinely screen for viruses, addressees should check this e-mail and any attachments for viruses. We make no representation or warranty as to the absence of viruses in this e-mail or any attachments. Please note that to ensure regulatory compliance and for the protection of our customers and business, we may monitor and read e-mails sent to and from our server(s). ##################################################################################### ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|