Re: [FW-1] AW: [FW-1] Again: TCP packet out of state: First packet isn't SYN

[Oscar Esquivel]

Hello I have seen this problem before ,in my case was a routing issue....your 
firewall must receive the SYN packet(initiation of a communication) in order to 
allow/deny a connection....but it seems that your firewall its not seeing the 
very first packet of the communication(SYN)....

Make sure that when you start the communication between those 2 hosts, those 
packets are routed through the firewall, so when packets come back (SYN ACK or 
any other), the firewall recognizes that connection(stateful inspection) in its 
routing/connection table..

You can use fw monitor to check the incoming and outgoing packets, to make sure 
all traffic is routed through your firewall..



-----Mensaje original-----
De: Mailing list for discussion of Firewall-1 
[mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] En nombre de Verweyen, Dirk
Enviado el: Thursday, April 22, 2010 6:06 AM
Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Asunto: [FW-1] AW: [FW-1] Again: TCP packet out of state: First packet isn't SYN

Hi Huga,

thanks for your reply. I look at the server and there
is no entry in the registry. That means, that the servers
uses the default value of 2 hours.

Is there another solution for this kind of problems?

Greetings, Dirk

-----Ursprüngliche Nachricht-----
Von: Mailing list for discussion of Firewall-1 
[mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] Im Auftrag von hvdkooij
Gesendet: Dienstag, 20. April 2010 11:32
An: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Betreff: Re: [FW-1] Again: TCP packet out of state: First packet isn't SYN

On Tue, 20 Apr 2010 09:47:13 +0200, "Verweyen, Dirk" <verwe...@kemper.de>
wrote:

> we have upgraded to a R70-Gateway running on SmartPlatform.
> With this Gateway we are building a VPN to an UTM1-Edge.
>
> Between this VPN we have a problem, that our ERP-Client (Baan)
> is losing his connection to his server.
>
> We have in both directions " TCP packet out of state: First packet isn't
> SYN
> tcp_flags: ACK" -- Errors.

Sounds like inactive sessions. In those instances I always recommend to
fix the servers and set their TCP Keep-Alive to 900 seconds.

Hugo.

--
JA, ik ben zo gek als een deur | NEE, dat komt nooit meer goed

Scanned by Check Point Total Security Gateway.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=================================================
IƧ[(^rC{S֥I.+r^

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=================================================

Notice of Confidentiality:

The information contained in this communication is intended solely for the use 
of the individual or entity to whom it is addressed and others authorized to 
receive it. It may contain confidential or legally privileged information. If 
you are not the intended recipient you are hereby notified that any disclosure, 
copying, distribution or taking any action in reliance on the contents of this 
information is strictly prohibited and may be unlawful. If you have received 
this communication in error, please notify us immediately by responding to this 
email and then delete it from your system.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=================================================