This actually occurs in situations where there is no load balancing involved
(VRRP), so it seems to be an SP2 'feature'. I've had to change the behavior
back to the pre-SP2 in order to get 'slow' protocols to work by following
these steps
1 On the Management Module, open the file $FWDIR/lib/fwui_head.def
2 Uncomment the line:
/*#define ALLOW_NON_SYN_RULEBASE_MATCH */
3 Install the policy.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Tim
Cullen
Sent: Wednesday, August 23, 2000 7:34 PM
To: Jack Coates; Lance Spitzner
Cc: '[EMAIL PROTECTED]'
Subject: RE: [FW1] unkown established TCP packet
What does the sync.conf look like? If you tcpdump the interfaces what shows
up? This sounds like a balancer issue not keeping state between the two
firewalls. What is the balancer? Rainfinity?
-----Original Message-----
From: Jack Coates [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 23, 2000 5:43 PM
To: Lance Spitzner
Cc: '[EMAIL PROTECTED]'
Subject: Re: [FW1] unkown established TCP packet
I'll be interested to see what you find. We're getting these messages a
lot of the time, even though our TCP synch process makes it nearly
impossible for that scenario (ACK or SYN/ACK showing up without a
preceding SYN) to happen. I suspect that it's looking at sequence number
and throwing the error message if sequence numbers aren't neatly in
order, because we usually see the error in mid data-stream after a VIP
moves.
--
Jack Coates, Rainfinity SE
t: 408-382-4860 m: 650-280-4376
Lance Spitzner wrote:
>
> On Wed, 23 Aug 2000, WAN Admin wrote:
>
> > I am having trouble connecting to several HTTP and FTP sites. I've
noticed
> > in the logs that the connections are being dropped with the message
"unknown
> > established TCP packet".
>
> I believe this error is due to new state table functionality within
> the firewall state table. CP may have changed how the state table works,
> I need to do some testintg to confirm.
>
> In versions prior to FW-1 4.1 SP2, a new entry could be added into the
state
> table using almost any packet (ACK, SYN/ACK, etc). As long as your
rulebase
> allowed the packet, the packet was accepted and an entry added to the
state
> table if needed.
>
> However, I believe with SP2, only a SYN packet can build a session in the
> state table. THat is why you are getting the error. There is most likely
> no entry in the state table for the packet, even though the packet is a
> non-SYN packet (indicating an ESTABLISHED connection).
>
> As I said, I need to do some testing this weekend to confirm this. If
> this is true, I'll update my Whitepaper on FW-1 state table :)
>
> hope this helps ...
>
> lance
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
