Hi Oscar. We have double-checked the routing tables... moreover, the connection initially success but gets dropped after a while. The routing config was the same when we had R60, and everything worked fine; the problem appeared just when we upgraded the platform.
Thank you very much again. El mar, 20-01-2009 a las 08:54 -0600, Oscar Esquivel escribió: > Hello , I had a problem like that before.... > Full message is "TCP packet out of state: First packet isn't SYN;" > > This happens sometimes because of routing issues....your firewall maybe > is connected to another routing device or firewall, so the initiating > connection of your Sql Connection(SYN PACKET) is not passing through the > firewall, but the receiving connection (ACK PACKET) is passing through > the firewall, that's why it tells you that first packet should be SYN, > instead ACK.......that means that the firewall is not seeing the first > packet connection, because your are sending that packet through another > routing device. What you can do is a traceroute from your sql clients -> > sql server and viceversa. That could gives you a pretty good idea if > something with the routing is not ok. > > > I hope this helps.. > > > Rgds. > > -----Mensaje original----- > De: Mailing list for discussion of Firewall-1 > [mailto:[email protected]] En nombre de Esteban > Serrano > Enviado el: Martes, 20 de Enero de 2009 01:59 a.m. > Para: [email protected] > Asunto: [FW-1] Dropped out-of-state connections after upgrade from R60 > to R65 > > Hi everybody. > > We have upgraded our firewall platform, running in a Crossbeam X40 > chassis, from R60 to R65 HFA30 last week. > > Since then, we have noticed that some legitimate Oracle SQL connections > are being dropped. The log says they are out-of-state packets, though > they shouldn't. > > We have checked wether aggressive aging was activated, but it seems it > isn't: > > fw_1 (crossbeam): root$ fw ctl pstat > > Machine Capacity Summary: > Memory used: 2% (22MB out of 801MB) - below low watermark > Concurrent Connections: 0% (124 out of 24900) - below low watermark > Aggressive Aging is not active > > Any ideas? > > Thanks in advance! > > Esteban Serrano > > Scanned by Check Point Total Security Gateway. > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > Notice of Confidentiality: > > The information contained in this communication is intended solely for the > use of the individual or entity to whom it is addressed and others authorized > to receive it. It may contain confidential or legally privileged information. > If you are not the intended recipient you are hereby notified that any > disclosure, copying, distribution or taking any action in reliance on the > contents of this information is strictly prohibited and may be unlawful. If > you have received this communication in error, please notify us immediately > by responding to this email and then delete it from your system. > > Scanned by Check Point Total Security Gateway. > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
