Hi, > Hugo van der Kooij wrote: > > Torkel Mathisen wrote: > > Hi, > > > > I have a problem with http traffic from two Windows 2008 servers > through our firewall. > > > > It gets dropped by SmartDefense with the following information: > > > > Attack Bad TCP sequence > > Attack Information SYN retransmit with different windows scale > > > > I thought this could be a problem with TCP windows scale in Windows > 2008: > > > > http://support.microsoft.com/kb/934430 > > > > but even after we disabled the windows scale on the server it doesnt > work. > > > > Anyone know of a fix for this (except disabling Sequence Verifier as > that is not an option)? > > > > We use R61 HFA01 on that firewall. > > > > Is it fixed in newer versions? > > Well to know that we have to know the exact problem. For that I would > ask for a fw monitor packet capture to begin with. And I expect Check > Point to ask for a fw debug as well.
I've done a fw monitor packet capture now. The command I used was fw monitor -e "accept src=10.11.12.11;" The output I got from 1 entry in the log is: UNKNOWN:i[52]: 10.11.12.11 -> 131.107.115.28 (TCP) len=52 id=586 TCP: 13826 -> 80 .S.... seq=c557ee2f ack=00000000 UNKNOWN:I[52]: 10.11.12.11 -> 131.107.115.28 (TCP) len=52 id=586 TCP: 13826 -> 80 .S.... seq=c557ee2f ack=00000000 eth6.116:o[52]: 10.11.12.11 -> 131.107.115.28 (TCP) len=52 id=586 TCP: 13826 -> 80 .S.... seq=c557ee2f ack=00000000 eth6.116:O[52]: 10.11.12.11 -> 131.107.115.28 (TCP) len=52 id=586 TCP: 13826 -> 80 .S.... seq=c557ee2f ack=00000000 UNKNOWN:i[52]: 10.11.12.11 -> 131.107.115.28 (TCP) len=52 id=596 TCP: 13826 -> 80 .S.... seq=c557ee2f ack=00000000 UNKNOWN:I[52]: 10.11.12.11 -> 131.107.115.28 (TCP) len=52 id=596 TCP: 13826 -> 80 .S.... seq=c557ee2f ack=00000000 eth6.116:o[52]: 10.11.12.11 -> 131.107.115.28 (TCP) len=52 id=596 TCP: 13826 -> 80 .S.... seq=c557ee2f ack=00000000 eth6.116:O[52]: 10.11.12.11 -> 131.107.115.28 (TCP) len=52 id=596 TCP: 13826 -> 80 .S.... seq=c557ee2f ack=00000000 UNKNOWN:i[48]: 10.11.12.11 -> 131.107.115.28 (TCP) len=48 id=675 TCP: 13826 -> 80 .S.... seq=c557ee2f ack=00000000 In SmartView Tracker I can see that it got dropped by SmartDefense with the same info as before: > > Attack Bad TCP sequence > > Attack Information SYN retransmit with different windows scale I seem to only get this problem with the 131.107.115.28 which is a server Microsoft uses for CRL verification I think. Earlier I also had this problem to other destinations, but those seems to have stopped now. For unknown reason. Regards, Torkel Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
