Do you have a cluster ? Have you checked that the cluster is in sync? To get a better idea, you should run fw monitor on the firewall.
Beside after the upgrade, have you checked if routing in your firewall has not changed? Another question, the sql server has any kind of redundancy? I mean 2 network interfaces? -----Mensaje original----- De: Mailing list for discussion of Firewall-1 [mailto:[email protected]] En nombre de Esteban Serrano Enviado el: Martes, 20 de Enero de 2009 09:19 a.m. Para: [email protected] Asunto: Re: [FW-1] Dropped out-of-state connections after upgrade from R60 to R65 Hi Oscar. We have double-checked the routing tables... moreover, the connection initially success but gets dropped after a while. The routing config was the same when we had R60, and everything worked fine; the problem appeared just when we upgraded the platform. Thank you very much again. El mar, 20-01-2009 a las 08:54 -0600, Oscar Esquivel escribió: > Hello , I had a problem like that before.... > Full message is "TCP packet out of state: First packet isn't SYN;" > > This happens sometimes because of routing issues....your firewall maybe > is connected to another routing device or firewall, so the initiating > connection of your Sql Connection(SYN PACKET) is not passing through the > firewall, but the receiving connection (ACK PACKET) is passing through > the firewall, that's why it tells you that first packet should be SYN, > instead ACK.......that means that the firewall is not seeing the first > packet connection, because your are sending that packet through another > routing device. What you can do is a traceroute from your sql clients -> > sql server and viceversa. That could gives you a pretty good idea if > something with the routing is not ok. > > > I hope this helps.. > > > Rgds. > > -----Mensaje original----- > De: Mailing list for discussion of Firewall-1 > [mailto:[email protected]] En nombre de Esteban > Serrano > Enviado el: Martes, 20 de Enero de 2009 01:59 a.m. > Para: [email protected] > Asunto: [FW-1] Dropped out-of-state connections after upgrade from R60 > to R65 > > Hi everybody. > > We have upgraded our firewall platform, running in a Crossbeam X40 > chassis, from R60 to R65 HFA30 last week. > > Since then, we have noticed that some legitimate Oracle SQL connections > are being dropped. The log says they are out-of-state packets, though > they shouldn't. > > We have checked wether aggressive aging was activated, but it seems it > isn't: > > fw_1 (crossbeam): root$ fw ctl pstat > > Machine Capacity Summary: > Memory used: 2% (22MB out of 801MB) - below low watermark > Concurrent Connections: 0% (124 out of 24900) - below low watermark > Aggressive Aging is not active > > Any ideas? > > Thanks in advance! > > Esteban Serrano > > Scanned by Check Point Total Security Gateway. > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > Notice of Confidentiality: > > The information contained in this communication is intended solely for the > use of the individual or entity to whom it is addressed and others authorized > to receive it. It may contain confidential or legally privileged information. > If you are not the intended recipient you are hereby notified that any > disclosure, copying, distribution or taking any action in reliance on the > contents of this information is strictly prohibited and may be unlawful. If > you have received this communication in error, please notify us immediately > by responding to this email and then delete it from your system. > > Scanned by Check Point Total Security Gateway. > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
