Yep I know, the actual configuration is really absurd (I mean I'm paying lotsa money to have kinda kernel 2.2 linux firewall)... This is, as you guessued, a big installation and, yes, there's an async routing (I mean the "returning" connections pass thru a different interface). In your opinion, how can I check if the syncronozation is working correctly ?(I'm using Nokia with VRRP and, as far as I know, the nodes switch correctly from one to another. CP is configured with VRRP and there's a syncro net with a heartbeat interface. The only difference in my config with Nokia's suggested one is that the two IP appliances are linked via a crossed cable instead of a switch).
Thanx in advance Lorenzo -----Messaggio originale----- Da: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] Per conto di Charalambos Klitiropoulos Inviato: martedì 26 luglio 2005 23.54 A: [email protected] Oggetto: Re: [FW-1] R: [FW-1] Inverted Connections Disabling stateful inspection will convert a (expensive) stateful firewall into a plain packet filtering firewall. Could there be a case of asynchronous routing (where incoming packets take a different route than outgoing)? Maybe a high availability configuration with non-working synchronization? Please note that I have seen drops like that in the past (confirmed without asynchronous routing), but every case was in a large installation and the percentage of dropped connections was far too low to be a real problem for the users. On 7/26/05, Lorenzo <[EMAIL PROTECTED]> wrote: > > Yes. It's seen as out of state... Obviously if I disable the check on > stateful TCP packets the connection works... > > -----Messaggio originale----- > Da: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] Per conto di > Charalambos Klitiropoulos > Inviato: lunedì 25 luglio 2005 21.31 > A: [email protected] > Oggetto: Re: [FW-1] Inverted Connections > > Hello, > > is there any information in the information column? There can be cases > where > FW-1 will drop a connection because of an invalid TCP packet or > because of a SmartDefense setting. Even if that connection was > originated by HOST1, but > SERVER1 sent a packet that FW-1 does not consider to be correct, the > drop log entry will show that source was SERVER1 and destination was > HOST1. But in every such case you should see some comment in the > information column that explains why FW-1 dropped that packet. > > On 7/25/05, Lorenzo <[EMAIL PROTECTED]> wrote: > > > > Hi guys > > Does anybody has had the same problem ? > > Basically, I'm exptecting a connection from HOST1 to SERVER1 on TCP > > port, let's say, 6000. This happens, but sometimes I see on the > > tracker that there are some connections from SERVER1 to HOST1, with > > a "random" destination port and 6000 as source port. > > > > I'm wandering if this could be a CheckPoint problem.... > > > > Thanx in advance > > > > Lorenzo > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, send an email to > > [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, please see the instructions > > at http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your subscription > > options, email [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
