Hiya,
I'm running V4.1 SP5 and I have found that this is not entirely true
and some unencrypted connections are dropped after policy install.
I get a few reported telnet drops (at least 10 but maybe there are more
telnet drops as well as other ports like SQLnet that are being dropped
but not reported).
Its strange really....
A little off topic for you Misha (and I apologise) but perhaps still
relevant, but I wonder if anyone has figured out how to stop specifically
Telnet from dropping during policy push?
To elaborate, I have noticed that all Telnet sessions that do NOT drop
send a 40 byte packet from client to server - (as per info column in
log viewer) the exact same second that the rulebase is pushed (as per
time listed by the control connection in the log). However, packets
that DO get dropped do NOT send a 40 byte packet at the time the policy
is pushed but some random time later - usually within an hour of policy
push.
I haven't had a chance to do a packet sniff at the same time as a policy
push yet, but I am suspecting the 40 byte packet is an ACK from the
client triggered by the policy push and thus causing the session to be
re-enetered into the state table. Further, the sessions that are getting
dropped are for some reason not sending this ACK packet and then not
getting re-entered into the state table, and when the client next does
a key-stroke, a rule 0 packet drop occurs amd the session appears dropped
to the user (nb - this rule 0 drop is often up to 90 minutes after the
late ACK sent from the dropped session that occurs usually within 60
minutes of policy push).
eg - Policy push 12pm
|
For non-session ---> all ok
drops ACK sent at 12pm
|
For session drops
ACK not sent until ---> Rule 0 drop (unest TCP packet)
say 12:46pm,(but all at 14:10pm then every 2 min
at different times) about 4 times.
If I am correct in assuming it is this ACK packet not being sent on
policy push that is causing the session drop than does anybody know why
the packet would not be sent and other sessions do send the packet?
Hope so, because I am now limited to pushing policies after hours for
this one firewall or I get a particular manager jumping up and down...
Many thanks
Roland
-----Original Message-----
From: Misha Alikov [mailto:alikov@;COMCAST.NET]
Sent: Wednesday, October 23, 2002 9:17 PM
To: [EMAIL PROTECTED]
Subject: [FW-1] Policy Install breaks encrypted connections under NG-FP1
I am testing NG-FP1 (under AIX) and find that a policy install breaks
all encrypted connections - SecuRemote & VPN Tunnels - i.e. the IP50
connections. The unencrypted connections are unaffected by a policy
install. Policy installs didn't break any connections (encrypted or
unencrypted) on v41-SP5.
Anyone have any idea regarding how to fix this major stumbling block
to my v41-SP5 -> NG-FP1 conversion ?
Thanks in advance ...
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
**********************************************************************
CONFIDENTIAL COMMUNICATION
This e-mail and any files transmitted with it is intended solely for the use of the
individual or entity to whom it is addressed. If you are not the intended recipient,
or the person responsible for delivering the e-mail to the intended recipient, please
immediately notify the sender by e-mail and delete the original transmission and its
contents. Any use, dissemination, forwarding, printing, or copying of this e-mail and
any file attachments is prohibited.
**********************************************************************
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
