Hi everybody After turning off aggressive aging in Oracle service, the issue seems to be solved, and the out-of-state drops have dissapeared.
Thanks for your help! El mar, 20-01-2009 a las 11:25 -0600, Warrington Bruce - bwarri escribió: > I've seen a similar issue on the same type of upgrade. Not sure if this > is your cause as well, but it sounds like it might be related. My drops > were related to aggressive aging, despite what the status message said. > After the upgrade to R65 it was timing out ALL idle connections at 10 > minutes REGARDLESS of the concurrent connection watermark it was > showing. I couldn't easily turn it off to fix the problem, because I > upgraded to R65, instead of buying a new SKU for SmartCenter all over > again (technically, trade-in, but same thing - I was running my old > original SKU still, but on R65). I only went to the usercenter and > upgraded my license to R65 to do my upgrade. > > Take a look in the R65 SmartDefense tab, under Network Security / Denial > of Service, and see if "Aggressive Aging" is an option you have > underneath that section. If you see it, your SKU is new enough to > display it, and you can turn off aggressive aging and see if that > doesn't fix the issue you're having. My SKU wasn't new enough, and > aggressive aging was on by default in the code, but I had no way to turn > it off because it was missing from the SmartDefense settings (to force > me to buy a new SKU to get that option - I was also missing the protocol > breakdown in SmartView Monitor, and several other things as well that > were not originally included at the time I bought my current SKU). > > If that's the case, you can manually modify the aggressive aging > parameter in your Objects file, and push a new policy to stop it from > aging all your connections at 10 minutes. I think it's a bug that this > particular SmartDefense option should be crippled for my SKU number if > it's actually enabled to run in the code (no way to control it), but > Checkpoint didn't agree, so the Objects file had to be manually edited > to disable it. Not great, but it solved my problem. > > Not sure if you're seeing the same problem or not, there are many > reasons for out of state packet drops on the firewall, but thought this > might help to check since it's what I hit on the same type of upgrade. > > > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]] On Behalf Of Esteban > Serrano > Sent: Tuesday, January 20, 2009 01:59 > To: [email protected] > Subject: [FW-1] Dropped out-of-state connections after upgrade from R60 > to R65 > > Hi everybody. > > We have upgraded our firewall platform, running in a Crossbeam X40 > chassis, from R60 to R65 HFA30 last week. > > Since then, we have noticed that some legitimate Oracle SQL connections > are being dropped. The log says they are out-of-state packets, though > they shouldn't. > > We have checked wether aggressive aging was activated, but it seems it > isn't: > > fw_1 (crossbeam): root$ fw ctl pstat > > Machine Capacity Summary: > Memory used: 2% (22MB out of 801MB) - below low watermark > Concurrent Connections: 0% (124 out of 24900) - below low watermark > Aggressive Aging is not active > > Any ideas? > > Thanks in advance! > > Esteban Serrano > > Scanned by Check Point Total Security Gateway. > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ************************************************************************* > The information contained in this communication is confidential, is > intended only for the use of the recipient named above, and may be > legally privileged. > > If the reader of this message is not the intended recipient, you are > hereby notified that any dissemination, distribution or copying of this > communication is strictly prohibited. > > If you have received this communication in error, please resend this > communication to the sender and delete the original message or any copy > of it from your computer system. > > Thank you. > ************************************************************************* > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
