- For all testing, test with an application that you can control and not
have any traffic except your tests.
- TCP Timeout default setting is 3600 secs. Try setting to that and retest;
see if it makes a difference. If it does, then it points to TCP Timeout
setting.
- Make sure you've turned on "Display Warning Messages" on the SYN Defender
options, and that you're using Long logging on your clean-up rule. Look at
the log and see if you're getting SYN Defender drops or clean-up rule drops.
- If you're getting clean-up rule drops, it points back at the TCP Timeout
setting.
- Check the log to see if the dropped packets match (Destination Port=TCP
high port), (Source Port=Port used to initiate communications with the
server). If they do, it again points to the TCP Timeout setting.
- Check to see if the log lines do in fact say "message SYN -> SYN-ACK ->
timeout", "message SYN -> SYN-ACK -> RST" or something similar. If so, it
points back to SYN Defender.
- Test with SYN Defender (passive or active) completely turned off. That'll
tell you if it's related to SYN Defender at all.
- Put a sniffer on both sides of the firewall and look for traffic between
your test server and client. Compare that to the firewall logs, see if
anything is getting dropped that isn't being accurately logged. Confirm
that you are logging on all of your rules. If you are and still don't see
accurate & full logging, re-examine all of your Policy Properties.
SYN Defender cannot be set per interface; its all or nothing.
Greg S.
-----Original Message-----
From: Frank [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 13, 2000 12:16 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW1] More SYN Defender Problems
I'm seeing the same thing. My TCP timeout is way up there in thousands of
seconds. The SYN defender timeout is 60 seconds.
Database access between firewall segements fail.
Can SYN defender be turned on for only one interface?
Frank
On Tue, 13 Jun 2000, Cisco Wave wrote:
> I thought about this too, but it can't explain why it
> is happening for different vendors and different
> systems and different appplications (even plain ftp).
>
>
> -----Original Message-----
>
> what about your tcp connection timeout? not
> syndefender, but tcp connection time
> out. looks like the time out are for your tcp
> services.
>
> Cisco Wave wrote:
>
> > morning with some external vender, because a few
> > applications are failing when SYNDef is set.
> >
> > -----Original Message-----
> > From: Frank [SMTP:[EMAIL PROTECTED]]
> >
> > Thank you for all the suggestions.
> >
> > However, I set it to the max. timeout of 60 sec. and
> > it's blocks so many
> > of our applications. BigBrother, http, database all
> > sorts of applications
> > are getting blocked. Mostly communication between
> > ethernet segments.
> >
> > I'm running 4.0 with SP 5. Various Solaris and Nokia
> > firewalls. Mostly an
> > NT network with a few Solaris servers for database.
> >
> > Passive and non-passive SYN gateway don't seem to
> make
> > any difference.
> >
> > Anything else I can do?
> >
> > Frank
> >
> > On Fri, 9 Jun 2000, Frank wrote:
> >
> > > Date: Fri, 9 Jun 2000 12:20:36 -0700 (PDT)
> > > From: Frank <[EMAIL PROTECTED]>
> > > To: [EMAIL PROTECTED]
> > > Subject: SYN Defender Problems
> > >
> > > I'm attempting to configure SYN Defender. It seem
> > that any option I choose
> > > appears to block access to our mail server (MS
> > Exchange). I've tried all
> > > the options and increased the timeout to 20.
> > >
> > > Any ideas?
> > >
> > >
> >
> >
>
============================================================================
====
> > To unsubscribe from this mailing list, please
> see
> > the instructions at
> >
> > http://www.checkpoint.com/services/mailing.html
> >
>
============================================================================
====
> >
> > Thank you,
> >
> > =====
> > We are NOT Cisco Inc.
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Photos -- now, 100 FREE prints!
> > http://photos.yahoo.com
> >
> >
>
============================================================================
====
> > To unsubscribe from this mailing list, please
> see the instructions at
> >
> http://www.checkpoint.com/services/mailing.html
> >
>
============================================================================
====
>
>
>
>
> =====
> We are NOT Cisco Inc.
>
> __________________________________________________
> Do You Yahoo!?
> Send online invitations with Yahoo! Invites.
> http://invites.yahoo.com
>
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
