[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] AW: [FW-1] Syn for established connection
Hi ! Perhaps this checkpoint workaround is you solution ! Bye Marco ************************************************************************ ************************************************* What to do when receiving errors in Log Viewer: "th_flags ## message_info TCP packet out of state" Solution ID: skI4308 Creation Date: 08/16/2001 Revised Date: 11/30/2001 Email this solution Rate this solution Environment: Check Point NG, FireWall-1 NG, VPN-1 NG, Rule 0, Non SYN packet, Connections table, Kernel, TCP, Logging Symptoms: Error in Log Viewer: "th_flags ## message_info TCP packet out of state"Drop logs on rule 0 Cause: This error means that VPN-1/FireWall-1 intercepted a non-Syn packet which does not have an entry in the FireWall's connections table. FireWall-1 will therefore drop the packet. This error is the equivalent to the VPN-1/FireWall-1 4.1 error message: "Unknown established TCP packet". In VPN-1/FireWall-1 NG the mechanism has been improved and the log may show more drops on rule 0 than were seen in FireWall-1 4.1. The error can be the result of several possible causes: 1. Dropping packets belonging to expired connections. Increasing the timeout of the related service can improve the situation. 2. Dropping packets after policy unload and load. In this case connections established when there is no policy are out of state, and cannot be matched to packets of already established connections. 3. Situations involving asymmetric routing, where all the TCP handshake packets were missed. 4. Direction enforcement for unidirectional connections, where packet flow is in the opposite direction to the connection direction. 5. TCP handshake direction enforcement, where some of the TCP handshake packets are in the wrong direction. Solution: To allow non-Syn packets which do not have state information in the connections table to be matched against the Rule Base: On FireWall-1 NG FP1 and above ======================== Using dbedit, edit the following property to "1" in the objects_5_0.C: :fw_allow_out_of_state_tcp (0) Press here to learn how to use dbedit On FireWall-1 NG HF2 (Hotfix-2) ======================== UNIX -------- 1. Stop the FireWall (fwstop) 2. Perform the following platform dependant command: Solaris: Add the following line to the /etc/system file set fw:fw_allow_out_of_state_tcp = 1 Linux: Add the following parameter to the $FWDIR/bin/fwstart script. The change should look like this: BEFORE - . . . . insmod $smp_prefix -f $fwmod kver=$kver . . . . . AFTER - . . . . insmod $smp_prefix -f $fwmod kver=$kver fw_allow_out_of_state_tcp = 1. . . . 3. Reboot the machine ! Windows NT / 2000 ----------------------------- 1. Add the following DWORD to the registry under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters A variable named AllowOutOfStateTCP should be added with a value of 1. 2. Reboot ! NOTE: If one wishes to just prevent these logs from getting into the Log Viewer proceed as follows: UNIX -------- 1. Stop the FireWall (fwstop) 2. Perform the following platform dependant command: Solaris: Add the following line to the /etc/system file set fw:fw_log_out_of_state_tcp = 0 Linux: Add the following parameter to the $FWDIR/bin/fwstart script. The change should look like this: BEFORE - . . . . insmod $smp_prefix -f $fwmod kver=$kver . . . . . AFTER - . . . . insmod $smp_prefix -f $fwmod kver=$kver fw_log_out_of_state_tcp = 0. . . . 3. Reboot the machine ! Windows NT / 2000 ----------------------------- 1. Add the following DWORD to the registry under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters A variable named DisableLogOutOfStateTCP should be added with a value of 1. 2. Reboot the machine ! ************************************************************************ ************************************************* ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|