Hey.... was this one too scary? I didn't get any responses at all.
>>> "Paul Murphy" <[EMAIL PROTECTED]> 6/12/2001 03:00:26 pm >>>
Hello,
Firstly, I must apologise for starting yet another "Unknown Established" (UETP)
thread, but I could not find specific mention of my particular behaviour in the
archives.
IPSO 3.3, FW-1 SP3, IP440s in an HA config, Active/Backup
With SYNDefender off, I get expected behaviour with regards to UETP drops, and have
verified them with sniffs to ensure that the firewall is behaving correctly. This
seems to happen when both the local machine and the remote machine issue a FIN, and
they both ACK the FIN, so the connection is closed, and then a minute later the remote
machine issues an RST on the closed connection. I am presuming this is because an ACK
went astray.
With SYNDefender in Gateway mode, strange things happen.
This is the behaviour seen from a sniff outside of the firewall, and so is as seen by
the remote instigater of the connection
The remote issues a SYN
The local issues a SYN ACK
The remote issues an ACK
This all happens within 10 secs (the SYND timeout as set) so the handshake is complete
right? But no:
The local issues another SYN ACK
The remote issues another ACK
This repeats a few times. Meanwhile, in the log, SYNDefender pipes up and says the
connection has timed out, which is right in a sense, as the firewall doesn't appear to
see that the connection is established.
Then the remote seems to tire of all this, and issues a series of FIN ACKs. One for
each of the SYN ACKS. This appears to correspond with the UETP appearing in the log.
I get this behaviour with flows on and off.
Does any one have any insight into what is transpiring here?
Cheers,
Paul.
---------------------------------------------------------------------------------------------------------------------------
CRESTCo Ltd. The views expressed above are not necessarily those
33 Cannon Street. held by CRESTCo Limited.
London EC4M 5SB (UK)
+44 (020) 7849 0000 http://www.crestco.co.uk
---------------------------------------------------------------------------------------------------------------------------
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
