>From your logs, it looks like you have one of two situations:
1) You have multiple Internet connections and traffic is leaving one
place and entering through another, thereby screwing up the state table
(asyncronous routing)
2) You're experiencing network latency such that the AOL servers are
re-transmitting packets that you've already recieved. In this case, the
firewall would drop the re-transmissions, and it looks like you're
logging those.
Have you tried sniffing on the outside of the firewall? I'd bet you'll
see packets like:
1Aug2000 8:43:18 drop 1318 152.163.244.93 MYWorkstation tcp AOL
are not SYNs, but ACKs.
Just a few thoughts...
Jason
[EMAIL PROTECTED] wrote:
>
> Hello,
>
> I am being plagued by users wanting to work (or play?) with AOL's instant
> messenger service (AIM) through my Firewall 1 (4.0 on Solaris). They are
> having intermittent problems with receiving new message session attempts
> and having to log in repeatedly. I am seeing dropped packets in the
> firewall log that originate at AOL's servers.
>
> I see the AIM client connecting to the AIM servers every 5 minutes and what
> looks like the AIM servers attempting to start new TCP sessions back to the
> clients every five minutes and whenever someone tries to start a new AIM
> messaging session with one of my users. It does not look like the TCP
> session is timing out, rather like the AIM servers are trying to establish
> new sessions to the source ports our workstations use to connect to AIM.
> The AIM TCP port (5190) shows up as the source ports of these attempts.
>
> Has anyone else run into this? Are these just session timeouts that are
> not being logged correctly? Can anyone think of a way to allow these
> inbound sessions when I cannot know what ports they will be coming to (I
> don't see a way to create a rule based solely on the TCP source port -- it
> is requiring me to enter a destination port)?
>
> And a related question: What is a good TCP timeout to set on the firewall?
>
> Here is a log snippet showing a typical session from the time I open the
> AIM client to about 30 minutes later:
>
> DATE TIME ACTION Service SourceIP DestIP Protocol
> SourcePort
> 1Aug2000 8:33:19 accept AOL MYWorkstation 152.163.242.24 tcp 1317
> 1Aug2000 8:33:20 accept AOL MYWorkstation 152.163.244.93 tcp 1318
> 1Aug2000 8:33:22 accept AOL MYWorkstation 205.188.4.112 tcp 1321
> 1Aug2000 8:33:22 accept AOL MYWorkstation 205.188.6.209 tcp 1320
> 1Aug2000 8:33:23 accept AOL MYWorkstation 152.163.241.90 tcp 1322
> 1Aug2000 8:38:18 accept AOL MYWorkstation 152.163.244.93 tcp 1318
> 1Aug2000 8:38:18 accept AOL MYWorkstation 205.188.4.112 tcp 1321
> 1Aug2000 8:38:18 accept AOL MYWorkstation 205.188.6.209 tcp 1320
> 1Aug2000 8:43:18 accept AOL MYWorkstation 152.163.244.93 tcp 1318
> 1Aug2000 8:43:18 accept AOL MYWorkstation 205.188.6.209 tcp 1320
> 1Aug2000 8:43:18 drop 1318 152.163.244.93 MYWorkstation tcp AOL
> 1Aug2000 8:43:18 drop 1320 205.188.6.209 MYWorkstation tcp AOL
> 1Aug2000 8:48:18 accept AOL MYWorkstation 152.163.244.93 tcp 1318
> 1Aug2000 8:48:18 accept AOL MYWorkstation 205.188.6.209 tcp 1320
> 1Aug2000 8:48:18 drop 1318 152.163.244.93 MYWorkstation tcp AOL
> 1Aug2000 8:48:18 drop 1320 205.188.6.209 MYWorkstation tcp AOL
> 1Aug2000 8:53:18 accept AOL MYWorkstation 152.163.244.93 tcp 1318
> 1Aug2000 8:53:18 accept AOL MYWorkstation 205.188.6.209 tcp 1320
> 1Aug2000 8:53:18 drop 1318 152.163.244.93 MYWorkstation tcp AOL
> 1Aug2000 8:53:18 drop 1320 205.188.6.209 MYWorkstation tcp AOL
> 1Aug2000 8:53:44 accept AOL MYWorkstation 152.163.241.92 tcp 1362
> 1Aug2000 8:58:18 accept AOL MYWorkstation 152.163.244.93 tcp 1318
> 1Aug2000 8:58:18 accept AOL MYWorkstation 205.188.6.209 tcp 1320
> 1Aug2000 8:58:18 drop 1320 205.188.6.209 MYWorkstation tcp AOL
> 1Aug2000 9:03:19 accept AOL MYWorkstation 152.163.244.93 tcp 1318
> 1Aug2000 9:03:19 accept AOL MYWorkstation 205.188.6.209 tcp 1320
> 1Aug2000 9:03:19 drop 1318 152.163.244.93 MYWorkstation tcp AOL
> 1Aug2000 9:03:19 drop 1320 205.188.6.209 MYWorkstation tcp AOL
> 1Aug2000 9:08:19 accept AOL MYWorkstation 152.163.244.93 tcp 1318
> 1Aug2000 9:08:19 accept AOL MYWorkstation 205.188.6.209 tcp 1320
> 1Aug2000 9:08:19 drop 1318 152.163.244.93 MYWorkstation tcp AOL
> 1Aug2000 9:08:19 drop 1320 205.188.6.209 MYWorkstation tcp AOL
>
> Thanks for your time,
> Matt Ruehlen
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
