This is the Checkpoint explanation....it has to do with routing...according to them. " Drop out of state TCP Packets" refers to cases in which the Firewall machine doesn't recognize a proper three way hand shake of the TCP connection. When this function is on the state machine expects to see the entire TCP connection establishment process of SYN, SYN ACK, etc. While examining the TCP connection establishment the Firewall machine will check the first SYN packet for authorization against the Firewall-1 rule base. Never the less, if the Firewall machine receives a SYN-ACK packet, it will go to the firewall state table to look for such a connection (the SYN should already be there), if the Firewall fails the find such a connection reference the packet will be dropped with "Drop out of state TCP Packets" message.
When a customer decides to uncheck this option in the Firewall's global properties menu, it simply allows TCP packets, which the Firewall cannot find in the state table to be tested against the Firewall rule base as a secondary option. Those messages mostly appear in asymmetric networks, in which the packets exit path of the network doesn't match with there network entry path, which causes the Firewall not to acknowledge the connection. " -----Original Message----- From: J.Ayoola [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 8:59 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Unexpected out-of-state packet Dear All, I am also having problems with out of state packets as carlos described. Does any body know why this is happening? This e-mail and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must not copy or show them to anyone, nor should you take any action based on them, other than to notify the error by replying to the sender. -----Original Message----- From: Carlos Infante [mailto:[EMAIL PROTECTED] Sent: 06 May 2004 12:15 To: [EMAIL PROTECTED] Subject: [FW-1] Unexpected out-of-state packet Dear All, I'm having problems with out of state packets. The scope is as follows, The traffic from the client side travels across one Cisco 1721 performing PAT (dynamic NAT, according Check Point) then the traffic cross the firewall to our Proxy-server (http_8080). The web traffic seems to work fine, but if the client tries to download a medium-to-big sized file the download starts OK, but suddenly stops. In the logs appears the permitted traffic and also when the session is stopped an out-of-state messages with flags th_4 (RST) originated on the Cisco (Client) or th_18 (PSH_ACK) If the traffic doesn't go to the proxy the performance is the same, so I discard a proxy problem. The workaround should be permit out-of-state packets, but anyone knows the reason to these packets and the suddenly drop of the session? ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
