I've seen a similar issue on the same type of upgrade. Not sure if this is your cause as well, but it sounds like it might be related. My drops were related to aggressive aging, despite what the status message said. After the upgrade to R65 it was timing out ALL idle connections at 10 minutes REGARDLESS of the concurrent connection watermark it was showing. I couldn't easily turn it off to fix the problem, because I upgraded to R65, instead of buying a new SKU for SmartCenter all over again (technically, trade-in, but same thing - I was running my old original SKU still, but on R65). I only went to the usercenter and upgraded my license to R65 to do my upgrade.
Take a look in the R65 SmartDefense tab, under Network Security / Denial of Service, and see if "Aggressive Aging" is an option you have underneath that section. If you see it, your SKU is new enough to display it, and you can turn off aggressive aging and see if that doesn't fix the issue you're having. My SKU wasn't new enough, and aggressive aging was on by default in the code, but I had no way to turn it off because it was missing from the SmartDefense settings (to force me to buy a new SKU to get that option - I was also missing the protocol breakdown in SmartView Monitor, and several other things as well that were not originally included at the time I bought my current SKU). If that's the case, you can manually modify the aggressive aging parameter in your Objects file, and push a new policy to stop it from aging all your connections at 10 minutes. I think it's a bug that this particular SmartDefense option should be crippled for my SKU number if it's actually enabled to run in the code (no way to control it), but Checkpoint didn't agree, so the Objects file had to be manually edited to disable it. Not great, but it solved my problem. Not sure if you're seeing the same problem or not, there are many reasons for out of state packet drops on the firewall, but thought this might help to check since it's what I hit on the same type of upgrade. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Esteban Serrano Sent: Tuesday, January 20, 2009 01:59 To: [email protected] Subject: [FW-1] Dropped out-of-state connections after upgrade from R60 to R65 Hi everybody. We have upgraded our firewall platform, running in a Crossbeam X40 chassis, from R60 to R65 HFA30 last week. Since then, we have noticed that some legitimate Oracle SQL connections are being dropped. The log says they are out-of-state packets, though they shouldn't. We have checked wether aggressive aging was activated, but it seems it isn't: fw_1 (crossbeam): root$ fw ctl pstat Machine Capacity Summary: Memory used: 2% (22MB out of 801MB) - below low watermark Concurrent Connections: 0% (124 out of 24900) - below low watermark Aggressive Aging is not active Any ideas? Thanks in advance! Esteban Serrano Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ************************************************************************* The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank you. ************************************************************************* Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
