|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Error "th_flags # message_info TCP packet out of state"
You are saying: Use Network Time Protocol on all nodes + FW? So it should be something with timing? by Metod >>> Brendan Laws <[email protected]> 3.7.2002 8:41:59 >>> I have also seen this a lot, It seemed to go away by itself when we made the all networks/hosts behind the firewall use NTP as well as the firewalls. Cheers Brendan -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of [email protected] Sent: Wednesday, 3 July 2002 3:04 PM To: [email protected] Subject: Re: [FW-1] Error "th_flags # message_info TCP packet out of state " I am also having the same problem. I tried a solution from the web but no luck for me.. may be you can try.. Solution Title: What to do when receiving errors in Log Viewer: "th_flags ## message_info TCP packet out of state" Solution ID: skI4308 Creation Date: 08/16/2001 Last Modified Date: 11/30/2001 Environment: Check Point NG FireWall-1 NG VPN-1 NG Rule 0 Non SYN packet Connections table Kernel TCP Logging Symptoms: Error in Log Viewer: "th_flags ## message_info TCP packet out of state" Drop logs on rule 0 Cause: This error means that VPN-1/FireWall-1 intercepted a non-Syn packet which does not have an entry in the FireWall's connections table. FireWall-1 will therefore drop the packet. This error is the equivalent to the VPN-1/FireWall-1 4.1 error message: "Unknown established TCP packet". In VPN-1/FireWall-1 NG the mechanism has been improved and the log may show more drops on rule 0 than were seen in FireWall-1 4.1. The error can be the result of several possible causes: 1. Dropping packets belonging to expired connections. Increasing the timeout of the related service can improve the situation. 2. Dropping packets after policy unload and load. In this case connections established when there is no policy are out of state, and cannot be matched to packets of already established connections. 3. Situations involving asymmetric routing, where all the TCP handshake packets were missed. 4. Direction enforcement for unidirectional connections, where packet flow is in the opposite direction to the connection direction. 5. TCP handshake direction enforcement, where some of the TCP handshake packets are in the wrong direction. Solution: To allow non-Syn packets which do not have state information in the connections table to be matched against the Rule Base: On FireWall-1 NG FP1 and above ======================== Using dbedit, edit the following property to "1" in the objects_5_0.C: :fw_allow_out_of_state_tcp (0) Press here to learn how to use dbedit On FireWall-1 NG HF2 (Hotfix-2) ======================== UNIX -------- 1. Stop the FireWall (fwstop) 2. Perform the following platform dependant command: Solaris: Add the following line to the /etc/system file set fw:fw_allow_out_of_state_tcp = 1 Linux: Add the following parameter to the $FWDIR/bin/fwstart script. The change should look like this: BEFORE - . . . . insmod $smp_prefix -f $fwmod kver=$kver . . . . . AFTER - . . . . insmod $smp_prefix -f $fwmod kver=$kver fw_allow_out_of_state_tcp = 1. . . . 3. Reboot the machine ! Windows NT / 2000 ----------------------------- 1. Add the following DWORD to the registry under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters A variable named AllowOutOfStateTCP should be added with a value of 1. 2. Reboot ! NOTE: If one wishes to just prevent these logs from getting into the Log Viewer proceed as follows: UNIX -------- 1. Stop the FireWall (fwstop) 2. Perform the following platform dependant command: Solaris: Add the following line to the /etc/system file set fw:fw_log_out_of_state_tcp = 0 Linux: Add the following parameter to the $FWDIR/bin/fwstart script. The change should look like this: BEFORE - . . . . insmod $smp_prefix -f $fwmod kver=$kver . . . . . AFTER - . . . . insmod $smp_prefix -f $fwmod kver=$kver fw_log_out_of_state_tcp = 0. . . . 3. Reboot the machine ! Windows NT / 2000 ----------------------------- 1. Add the following DWORD to the registry under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters A variable named DisableLogOutOfStateTCP should be added with a value of 1. 2. Reboot the machine ! Subash Bose HPA -----Original Message----- From: Shelton, Raymond A. [mailto:[email protected]] Sent: Wednesday, July 03, 2002 1:13 PM To: [email protected] Subject: Re: [FW-1] Error "th_flags # message_info TCP packet out of state" We now belong to two of the same clubs; the one to which you've referred, and the one that gets out of office autoresponders from posts to this list. -----Original Message----- From: Jim Parker [mailto:[email protected]] Sent: Tuesday, July 02, 2002 8:57 PM To: [email protected] Subject: Re: [FW-1] Error "th_flags # message_info TCP packet out of state" So how many are we in the club... --- Metod Ckufca <[email protected]> wrote: > Welcome to the club. >Anybody that is using FW-1 above 4.1 SP4 is getting this errors. I have >tried to get rid of then and gave up. ;-( Maybe you can read some DOC >about how is FW-1 managing stateful inspection table. Tray this one >http://www.enteract.com/~lspitz/pubs.html ...Understanding the >FireWall-1 State Table > >That is this error all about ... "out of state" > >In some cases, error is coused by spoof filters on NIC-s ... this is something to check. > >But in the end there is NO final solution to this "problem". > >BTW: If anyone have some useful info about this error ..I'm still >intrested :-) > >best regards > Metod > > >>>> Hieu Cao <[email protected]> 2.7.2002 19:46:58 >>> >I keep seeing a lot of this error messages ""th_flags # message_info >TCP packet out of state" into the FW from external interface and from FW to >internal interface. I am unable to find meaningful resolutions from >both Nokia's and CP's knowledge-base websites. > >Has anyone seen this kind of error in the log before? If so, what was >the fix? > >Any suggestion is greatly appreciated. > >Thank You. > >Hieu > >Nokia I330 IPSO 3.4.2, CP NG FP1 > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= _____________________________________________________________ Where you'll find everything under the Sun for the Sun.......www.SunGuru.com _____________________________________________________________ Promote your group and strengthen ties to your members with [email protected] by Everyone.net http://www.everyone.net/?btn=tag ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ********************************************************************** IMPORTANT The contents of this e-mail and it's attachments are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you received this e-mail in error, please notify the HPA Postmaster, [email protected], then delete the e-mail. This footnote also confirms that this e-mail message has been swept for the presence of computer viruses by MimeSweeper. Before opening or using any attachments, check them for viruses and defects. Our liability is limited to resupplying any affected attachments. HPA collects personal information to provide and market our services. For more information about use, disclosure and access see our Privacy Policy at www.hpa.com.au ********************************************************************** ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
