Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] AW: [FW-1] Syn for established connection

To: [email protected]
Subject: [FW-1] AW: [FW-1] Syn for established connection
From: fw1mail <[email protected]>
Date: Thu, 30 May 2002 21:44:08 +0200
Importance: Normal
In-reply-to: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi !

Perhaps this checkpoint workaround is you solution !

Bye
Marco


************************************************************************
*************************************************
What to do when receiving errors in Log Viewer: "th_flags ##
message_info TCP packet out of state"

Solution ID: skI4308
Creation Date: 08/16/2001
Revised Date: 11/30/2001
       Email this solution
 Rate this solution


Environment: Check Point NG, FireWall-1 NG, VPN-1 NG, Rule 0, Non SYN
packet, Connections table, Kernel, TCP, Logging

Symptoms:
Error in Log Viewer: "th_flags ## message_info TCP packet out of
state"Drop logs on rule 0

Cause:
This error means that VPN-1/FireWall-1 intercepted a non-Syn packet
which does not have an entry in the FireWall's connections table.
FireWall-1 will therefore drop the packet. This error is the equivalent
to the VPN-1/FireWall-1 4.1 error message: "Unknown established TCP
packet". In VPN-1/FireWall-1 NG the mechanism has been improved and the
log may show more drops on rule 0 than were seen in FireWall-1 4.1. The
error can be the result of several possible causes: 1. Dropping packets
belonging to expired connections. Increasing the timeout of the related
service can improve the situation. 2. Dropping packets after policy
unload and load. In this case connections established when there is no
policy are out of state, and cannot be matched to packets of already
established connections. 3. Situations involving asymmetric routing,
where all the TCP handshake packets were missed. 4. Direction
enforcement for unidirectional connections, where packet flow is in the
opposite direction to the connection direction. 5. TCP handshake
direction enforcement, where some of the TCP handshake packets are in
the wrong direction.

Solution:
To allow non-Syn packets which do not have state information in the
connections table to be matched against the Rule Base:

On FireWall-1 NG FP1 and above
========================
Using dbedit, edit the following property to "1" in the objects_5_0.C:
:fw_allow_out_of_state_tcp (0)
Press here to learn how to use dbedit

On FireWall-1 NG HF2 (Hotfix-2)
========================

UNIX
--------
1. Stop the FireWall (fwstop)

2. Perform the following platform dependant command:

Solaris:

Add the following line to the /etc/system file
set fw:fw_allow_out_of_state_tcp = 1

Linux:

Add the following parameter to the $FWDIR/bin/fwstart script. The change
should look like this:

BEFORE -

. . . . insmod $smp_prefix -f $fwmod kver=$kver . . . . .

AFTER -

. . . . insmod $smp_prefix -f $fwmod kver=$kver
fw_allow_out_of_state_tcp = 1. . . .

3. Reboot the machine !

Windows NT / 2000
-----------------------------
1. Add the following DWORD to the registry under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters

A variable named AllowOutOfStateTCP should be added with a value of 1.

2. Reboot !



NOTE: If one wishes to just prevent these logs from getting into the Log
Viewer proceed as follows:

UNIX
--------
1. Stop the FireWall (fwstop)

2. Perform the following platform dependant command:

Solaris:

Add the following line to the /etc/system file
set fw:fw_log_out_of_state_tcp = 0

Linux:

Add the following parameter to the $FWDIR/bin/fwstart script. The change
should look like this:

BEFORE -

. . . . insmod $smp_prefix -f $fwmod kver=$kver . . . . .

AFTER -

. . . . insmod $smp_prefix -f $fwmod kver=$kver fw_log_out_of_state_tcp
= 0. . . .


3. Reboot the machine !

Windows NT / 2000
-----------------------------
1. Add the following DWORD to the registry under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters

A variable named DisableLogOutOfStateTCP should be added with a value of
1.

2. Reboot the machine !
************************************************************************
*************************************************

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] Syn for established connection
  - From: Jim Parker <[email protected]>

Prev by Date: Re: [FW-1] FW-1 Site-to-site VPN with Cisco PIX in the middle.
Next by Date: [FW-1] VPN/IKE cannot calculate IKE ranges problem
Previous by thread: Re: [FW-1] Syn for established connection
Next by thread: Re: [FW-1] Syn for established connection
Index(es):
- Date
- Thread