Exactly, the connection is timing out on the firewall before it times out at the endpoints and several sources I have found explain this common issue occurs from Microsoft's loose adherence to RFC793. However many explanations exist, I have yet to find an acceptable solution!
The option doesn't exist for me to allow out of state TCP from specific hosts, only as a global setting. I've been told the problem needs to be approached differently but how? Thanks! fred -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Mark Senior Sent: Thursday, February 09, 2006 2:43 PM To: [email protected] Subject: Re: [FW-1] drop out of state tcp? If they really are violating TCP standards, i.e. sending unsolicited ACKs, then they won't be able to communicate anyway, as the other side won't have an allocated socket. A more likely explanation might be that the connection is timing out on the firewall before it times out at the endpoints. Then they start talking again, but the firewall's forgotten about the conversation. Regards Mark -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Tucker, Fredrik M Sent: 8 February, 2006 14:50 To: [email protected] Subject: [FW-1] drop out of state tcp? Checkpoint FW-1 NG R55 Is there a "more restrictive" alternative to un-checking "drop out of state TCP" in the Global Properties? Specifically dealing with a handful of Microsoft boxes on either side that seem to violate TCP standards. Can an exception be made per rule? More specifics: Dropped... TCP packet out of state; First packet isn't SYN; tcp_flags:ACK Thanks! ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
