|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Rule 0 Drops, Reason: unknown established TCP packet
We figured out the problem yesterday... It wasn't a CP problem, but rather that the default TCP/IP MTU size of our Citrix servers was too high for the routers after the firewall at the other end of the tunnel. One tweak of the registry and all was well. Chris -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Chris Covington Sent: Wednesday, August 07, 2002 11:52 AM To: [email protected] Subject: [FW-1] Rule 0 Drops, Reason: unknown established TCP packet Guys, In a nutshell, our problem is with Citrix MF1.8SP3 ICA/http timing out through a Checkpoint-to-Checkpoint 3DES tunnel. An initial splash screen appears, then the connection drops. In the log viewer, I'll see phase 2 completions, encrypted traffic, and then a couple drops for what should be allowed by the rulebase. Though sometimes, there are no drops and the Citrix connection drop problem still persists. It seems to be an on again, off again type of problem, and I figured I would solve the dropped Rule 0 problem first. I wrote about this a few weeks ago, searched through the archives and have made numerous changes to my IP110 including: Upgraded 4.1-SP4 to 4.1-SP6 Upgraded IPSO3.4 to IPSO3.5FCS7 Turned on ipsofwd slowpath in fwstart Added #define ALLOW_NON_SYN_RULEBASE_MATCH to $FWDIR/lib/fwui_head.def Increased tcpstarttimeout and tcpendtimeout in objects.C to 360 and 350 Modzapped fw_old_established_accept $FWDIR/boot/modules/fwmod.o 0x1 (rebooted, re-installed policy, etc.) Is there any other way I can force matching of non-SYN packets which do not belong to an established connection against the Rule Base? In addition, I see there's a Checkpoint doc that says: 2. Force the VPN/FireWall Module to match non-SYN packets which do not belong to an established connection against the Rule Base. Notice that you must have two rules: client - server - Any - accept & server - client - Any - accept Must I allow Any traffic to be enforced, as opposed to certain protocols? I have a rule in place similar to the above except for certain protocols only (ICA, http). Thanks, Chris ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
