Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Rule 0 Drops, Reason: unknown established TCP packet

To: [email protected]
Subject: [FW-1] Rule 0 Drops, Reason: unknown established TCP packet
From: Chris Covington <[email protected]>
Date: Wed, 7 Aug 2002 11:51:45 -0400
Importance: Normal
In-reply-to: <[email protected]>
Organization: Plus One Fitness
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Guys,

In a nutshell, our problem is with Citrix MF1.8SP3 ICA/http timing out
through a Checkpoint-to-Checkpoint 3DES tunnel.  An initial splash
screen appears, then the connection drops.  In the log viewer, I'll see
phase 2 completions, encrypted traffic, and then a couple drops for what
should be allowed by the rulebase.  Though sometimes, there are no drops
and the Citrix connection drop problem still persists.  It seems to be
an on again, off again type of problem, and I figured I would solve the
dropped Rule 0 problem first.

I wrote about this a few weeks ago, searched through the archives and
have made numerous changes to my IP110 including:

Upgraded 4.1-SP4 to 4.1-SP6
Upgraded IPSO3.4 to IPSO3.5FCS7
Turned on ipsofwd slowpath in fwstart
Added #define ALLOW_NON_SYN_RULEBASE_MATCH to $FWDIR/lib/fwui_head.def
Increased tcpstarttimeout and tcpendtimeout in objects.C to 360 and 350
Modzapped fw_old_established_accept $FWDIR/boot/modules/fwmod.o 0x1
(rebooted, re-installed policy, etc.)

Is there any other way I can force matching of non-SYN packets which do
not belong to an established connection against the Rule Base?


In addition, I see there's a Checkpoint doc that says:

2.      Force the VPN/FireWall Module to match non-SYN packets which do
not belong to an established connection against the Rule Base. Notice
that you must have two rules: client - server - Any - accept  &  server
- client - Any - accept

Must I allow Any traffic to be enforced, as opposed to certain
protocols?  I have a rule in place similar to the above except for
certain protocols only (ICA, http).

Thanks,
Chris

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] Rule 0 Drops, Reason: unknown established TCP packet
  - From: Chris Covington <[email protected]>

Prev by Date: Re: [FW-1] SMTP MDQ problem
Next by Date: Re: [FW-1] SMTP MDQ problem
Previous by thread: Re: [FW-1] SMTP MDQ problem
Next by thread: Re: [FW-1] Rule 0 Drops, Reason: unknown established TCP packet
Index(es):
- Date
- Thread