I would check the connections table of each vap member. If they are relatively close then sync is working. If they are not close, then it could be the syn goes through one member and the syn/ack or ack goes through another. (not likely the case).
My recommendation is to run an fw monitor on the destination and look at the traffic. If it is over 1 hour that the connection is opened and the out-of-state you may need to bump up the service timeout. If you have secureXL on run a tcpdump on the ingress and egress interface of the circuits involved. Also, try show flow-active dest-addr x.x.x.x around the time of the timeout. Good luck. David. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Esteban Serrano Sent: Tuesday, January 20, 2009 9:19 AM To: [email protected] Subject: Re: [FW-1] Dropped out-of-state connections after upgrade from R60 to R65 Hi Oscar. We have double-checked the routing tables... moreover, the connection initially success but gets dropped after a while. The routing config was the same when we had R60, and everything worked fine; the problem appeared just when we upgraded the platform. Thank you very much again. El mar, 20-01-2009 a las 08:54 -0600, Oscar Esquivel escribió: > Hello , I had a problem like that before.... > Full message is "TCP packet out of state: First packet isn't SYN;" > > This happens sometimes because of routing issues....your firewall maybe > is connected to another routing device or firewall, so the initiating > connection of your Sql Connection(SYN PACKET) is not passing through the > firewall, but the receiving connection (ACK PACKET) is passing through > the firewall, that's why it tells you that first packet should be SYN, > instead ACK.......that means that the firewall is not seeing the first > packet connection, because your are sending that packet through another > routing device. What you can do is a traceroute from your sql clients -> > sql server and viceversa. That could gives you a pretty good idea if > something with the routing is not ok. > > > I hope this helps.. > > > Rgds. > > -----Mensaje original----- > De: Mailing list for discussion of Firewall-1 > [mailto:[email protected]] En nombre de Esteban > Serrano > Enviado el: Martes, 20 de Enero de 2009 01:59 a.m. > Para: [email protected] > Asunto: [FW-1] Dropped out-of-state connections after upgrade from R60 > to R65 > > Hi everybody. > > We have upgraded our firewall platform, running in a Crossbeam X40 > chassis, from R60 to R65 HFA30 last week. > > Since then, we have noticed that some legitimate Oracle SQL connections > are being dropped. The log says they are out-of-state packets, though > they shouldn't. > > We have checked wether aggressive aging was activated, but it seems it > isn't: > > fw_1 (crossbeam): root$ fw ctl pstat > > Machine Capacity Summary: > Memory used: 2% (22MB out of 801MB) - below low watermark > Concurrent Connections: 0% (124 out of 24900) - below low watermark > Aggressive Aging is not active > > Any ideas? > > Thanks in advance! > > Esteban Serrano > > Scanned by Check Point Total Security Gateway. > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > Notice of Confidentiality: > > The information contained in this communication is intended solely for the > use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. > > Scanned by Check Point Total Security Gateway. > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
