Dear Miguel, if you run the command "fwaccel stat", you should get an output similar to this one:
fw[admin]# fwaccel stat Accelerator Status : on Templates : disabled by FireWall-1 starting from rule #XXX Maybe it helps, if you copy your rule behind rule #XXX. I don't know if it really solves your problem, but is should be a way to bypass SecureXL. Best regards, Christian -----Ursprüngliche Nachricht----- Von: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] Im Auftrag von Hugo van der Kooij Gesendet: Donnerstag, 12. Juni 2008 08:33 An: [email protected] Betreff: Re: [FW-1] SecureXL problem: TCP packet out of state -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miguel Hernandez y Lopez wrote: | Hi, one of my clients have a FW1 R62 on IPSO 4 with SecureXL, they´re using an internal software running on port 1527 (TCP) with a oracle db. The problem we have is that after 10 or 15 minutes the connection is lost, with a message: "TCP packet out of state: First packet isn´t SYN tcp_flags: PUSH-ACK" and the action of the fw is DROP. | | The first thing we made was increment the Session Timeout in the TCP Services Properties of the 1527 port to 10800 seconds, but the problem continue, about the severity of the problem because the people can´t work if the application is offline, the temp solution we made was disable the "Drop out of state TCP packets" in the Global Properties of Stateful Inspection but i don´t want to be like this because it´s a security risk disable this option. | | Is there any chance the about traffic of the port 1527 pass without it being filtered across the SecureXL? If an out-of-state packet happens during normal traffic you usually have a network problem or application problem. The way to go forward is to use fw monitor to see what happens exactly. If it happens on connections that go idle for a long time then the simple thing to do is lower the TCP keep alive timer on the database server. In my experience with Oracle it is usually the best way to keep connections alive on firewalls. I recommend lowering it to 900 seconds. Hugo. - -- [EMAIL PROTECTED] http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIUMM3BvzDRVjxmYERAs5/AKCtHNN71LzRi4fCwEfZQ+VIZZD5vACgm715 FgP31T6EzC0WTOfyVDg9R24= =f+aI -----END PGP SIGNATURE----- Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Diese E-Mail kann vertrauliche oder rechtlich geschützte Informationen enthalten. Wenn Sie nicht der beabsichtigte Empfänger sind, informieren Sie bitte sofort den Absender und löschen Sie diese E-Mail. Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der enthaltenen Informationen ist nicht gestattet. The information contained in this message is confidential or protected by law. If you are not the intended recipient, please contact the sender and delete this message. Any unauthorised copying of this message or unauthorised distribution of the information contained herein is prohibited. Controlware GmbH Kommunikationssysteme Telefon: (0 60 74) 8 58-0 E-Mail: [EMAIL PROTECTED] http://www.controlware.de Sitz: 63128 Dietzenbach, Registergericht: Offenbach a.M., HRB Nr. 6431, USt.-Id.-Nr. DE 113539225 Geschäftsführung: Helmut E. Wörner (Vorsitzender), Bernd Schwefing, Hubert Potthoff Beirat: Dr. Gert Sieger (Vorsitzender), Dr. Peter Pagé, Kurt Sibold Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
