RE: [FW1] Any SYN ~ FW1/Rainwall expert out there ?

Thu, 15 Jun 2000 06:59:13 -0700 



Rainfinity support is worth every penny and I strongly suggest you get it.
I have found them to be very helpful and knowledgeable every time I have
called them.

In the meantime, as a workaround, you can use the Rainwall Management
Console (their Java based management app thingy) and drag all of the IP
addresses to a single node in the cluster.  Then right click the address on
the node an set it to "sticky" (their term not mine.)  

This assigns all of the VIPs to a single node in the cluster and makes sure
that they stay there.  So, in essence you are running everything across a
single node in the cluster.  You lose the load balancing capability with
this configuration, but you still have high availability, since, if the node
all the VIPs are on keels over, they will move to the other node
dynamically.

If moving all the VIPs to a single node clears up your issue, it is highly
likely that you have a state table synch problem, and Rainfinity tech
support will become your new best friends.

Hope this helps,
Jim

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 15, 2000 7:20 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [FW1] Any SYN ~ FW1/Rainwall expert out there ?



The state tables, in short, are horrible.  There is no way to verify with a
tool that all of your state tables are in sync.  

Basically, make sure your sync.conf file uses the 'official' address of each
firewall (and by that I mean the address you use to push the policy too,
most likely your external public IP addresses).  

Second, make sure your keys are all in sync with all of the other boxes.  fw
putkey -p <key> <fw module>.  You can visually verify that each firewall has
a key for all of the others by looking at /etc/fw/conf/fwauth.keys but the
key is useless in that file.

Third, you can run a loop like:

while /bin/true
do
   fw tab -t connections -s 
done

all on of the machines to make sure that the #VALS is really close on all of
the boxes.  

I've found the easiest way to check for a state problem is to do an fwstop
on all of the firewalls except 1, then start bringing the others on line.

Hope this helps - I would probably buy support from the Rainfinity people.
They are infinitely helpful with the product.  The only real complaint I
have is using the Java tool for monitoring (no Java wars please).

Chris
-----Original Message-----
From: Cisco Wave [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 15, 2000 5:17 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: [FW1] Any SYN ~ FW1/Rainwall expert out there ?



Dear All,
Any SYN ~ FW1/Rainwall expert out there ?
Thanks,

Greg,
The problem is that I have no support for Rainwall, I
just inherited this setup when I joined ... Wish me
good luck ...
Do you know any commands that can show me something
regarding these state tables ?

Cheers,


-----Original Message-----
From:   Scheidel, Greg [SMTP:[EMAIL PROTECTED]]
Sent:   Wednesday, June 14, 2000 9:18 PM
To:     'Cisco Wave'
Subject:        RE: Tests on SYN Defender Problems

It sounds like you have an issue with Rainwall
synchronizing SYN Defender
state table information between the two firewall's
running in parallel.  I'm
not familiar at all with Rainwall; your best bet I
think would be to go to
their Rainwall tech support and get them to help you
resolve it.

Good luck, and please let us all know if / how you get
this resolved.

Greg S.

 -----Original Message-----
From:   Cisco Wave [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, June 14, 2000 4:37 AM
To:     [EMAIL PROTECTED]
Cc:     Scheidel, Greg; [EMAIL PROTECTED]
Subject:        Tests on SYN Defender Problems

All,

Thank you very much for your support. After a few
testing here is what I found. It is a bit long, but
worse looking at it.
I have some pictures explaining the following and some
simple traces for about 100K in a zip file if you are
interested.
Let me know,

I am running 2 checkpoint FW1 (fwA and fwB) in
parallele on SUN UNIX with Rainwall.
The ftp communication is going from host1 to host2

host1 sends a SYN to host2
only one FW (fwB) sees this SYN passing
fwB copies and send this SYN to fwA [3]
        -> I think this is to inform the parallele firewall
fwA of the opening of the TCP connection between host1
and host2 via fwB ...
        -> Can somebody confirm/deny this ? Is it a
Checkpoint feature or Rainwall feature ?
        -> Is it a normal behaviour ?

host2 sends back a SYN-ACK to host1
only fwB sees this SYN-ACK

Also, because of [3] fwA received a SYN
        -> Layer 2 wise this SYN is coming from the other
firewall
        -> Layer 3 wise this SYN is coming from host1 (which
is not correct)
fwA send back a SYN-ACK to the host1
        -> Here I wonder if it should work this way ...
        -> My guess is that as fwA is not carrying the
session, but only fwB, it should not send an SYN-ACK
back to the host, but maybe back to the fwB
        -> Does somebody know how is it working for 2 FW in
parallele, when they need to be aware of the sessions
opened ?

host1 send an ACK to host2
        -> the TCP opening is complete (SYN, SYN-ACK, then
ACK)
only fwB sees this ACK

fwA will never see this ACK.
        -> After the the 10 seconds timeout of the
SYNDefender option, the fwA deamon will clear the TCP
session.
        -> fwA is claiming that it is a non valid session
because no ACK was received back.
        -> Fair enough, on a standalone base, but fwB
received the ACK
        -> The ACK was sent back, but only fwB saw it.
        -> Is fwA wrong, or should have fwB informed fwA of
this ACK received back ?

The main issue here is to determine where is the
problem within the Checkpoint/FW/Rainwall complex ?

Should fwB inform fwA that it received the ACK ?
Should fwA have sent the SYN-ACK to fwB and not the
host (ie looked at layer 2 and not layer 3
informations ?) ?
Should the fwB not have copied the SYN to fwA [3] in
the first place or not ?
How to check that fwA and fwB are aware of each other
(ie working in parallele) ?

Does someone have some insights ?

Thank you for you help,


PS: 
Only the specific traffic was seen on the FW
No TCP timouts issues on both hosts and FW
All loggings and rules are okay and matched
Removing the SYNDefender fixed the problem
Changing the timing on the SYNDefender does not solve
the issue.







-----Original Message-----
From:   Scheidel, Greg [SMTP:[EMAIL PROTECTED]]
Sent:   Wednesday, June 14, 2000 3:48 AM
To:     '[EMAIL PROTECTED]';
[EMAIL PROTECTED]
Subject:        RE: [FW1] More SYN Defender Problems


- For all testing, test with an application that you
can control and not
have any traffic except your tests.

- TCP Timeout default setting is 3600 secs.  Try
setting to that and retest;
see if it makes a difference.  If it does, then it
points to TCP Timeout
setting.

- Make sure you've turned on "Display Warning
Messages" on the SYN Defender
options, and that you're using Long logging on your
clean-up rule.  Look at
the log and see if you're getting SYN Defender drops
or clean-up rule drops.
  - If you're getting clean-up rule drops, it points
back at the TCP Timeout
setting.
  - Check the log to see if the dropped packets match
(Destination Port=TCP
high port), (Source Port=Port used to initiate
communications with the
server).  If they do, it again points to the TCP
Timeout setting.
  - Check to see if the log lines do in fact say
"message SYN -> SYN-ACK ->
timeout", "message SYN -> SYN-ACK -> RST" or something
similar.  If so, it
points back to SYN Defender.

- Test with SYN Defender (passive or active)
completely turned off.  That'll
tell you if it's related to SYN Defender at all.

- Put a sniffer on both sides of the firewall and look
for traffic between
your test server and client.  Compare that to the
firewall logs, see if
anything is getting dropped that isn't being
accurately logged.  Confirm
that you are logging on all of your rules.  If you are
and still don't see
accurate & full logging, re-examine all of your Policy
Properties.


SYN Defender cannot be set per interface; its all or
nothing.

Greg S.

 -----Original Message-----
From:   Frank [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, June 13, 2000 12:16 PM
To:     [EMAIL PROTECTED]
Subject:        Re: [FW1] More SYN Defender Problems


I'm seeing the same thing. My TCP timeout is way up
there in thousands of
seconds. The SYN defender timeout is 60 seconds.

Database access between firewall segements fail.

Can SYN defender be turned on for only one interface?

Frank

On Tue, 13 Jun 2000, Cisco Wave wrote:

> I thought about this too, but it can't explain why
it
> is happening for different vendors and different
> systems and different appplications (even plain
ftp).
> 
> 
> -----Original Message-----
> 
> what about your tcp connection timeout? not
> syndefender, but tcp connection time
> out. looks like the time out are for your tcp
> services.
> 
> Cisco Wave wrote:
> 
> > morning with some external vender, because a few
> > applications are failing when SYNDef is set.
> >
> > -----Original Message-----
> > From:   Frank [SMTP:[EMAIL PROTECTED]]
> >
> > Thank you for all the suggestions.
> >
> > However, I set it to the max. timeout of 60 sec.
and
> > it's blocks so many
> > of our applications. BigBrother, http, database
all
> > sorts of applications
> > are getting blocked. Mostly communication between
> > ethernet segments.
> >
> > I'm running 4.0 with SP 5. Various Solaris and
Nokia
> > firewalls. Mostly an
> > NT network with a few Solaris servers for
database.
> >
> > Passive and non-passive SYN gateway don't seem to
> make
> > any difference.
> >
> > Anything else I can do?
> >
> > Frank
> >
> > On Fri, 9 Jun 2000, Frank wrote:
> >
> > > Date: Fri, 9 Jun 2000 12:20:36 -0700 (PDT)
> > > From: Frank <[EMAIL PROTECTED]>
> > > To: [EMAIL PROTECTED]
> > > Subject: SYN Defender Problems
> > >
> > > I'm attempting to configure SYN Defender. It
seem
> > that any option I choose
> > > appears to block access to our mail server (MS
> > Exchange). I've tried all
> > > the options and increased the timeout to 20.
> > >
> > > Any ideas?
> > >
> > >
> >
> >
>
============================================================================
====
> >      To unsubscribe from this mailing list, please
> see
> > the instructions at
> >
> > http://www.checkpoint.com/services/mailing.html
> >
>


=====
We are NOT Cisco Inc.

__________________________________________________
Do You Yahoo!?
Yahoo! Photos -- now, 100 FREE prints!
http://photos.yahoo.com



=====
We are NOT Cisco Inc.

__________________________________________________
Do You Yahoo!?
Yahoo! Photos -- now, 100 FREE prints!
http://photos.yahoo.com


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to