On Wed, 23 Aug 2000, WAN Admin wrote:
> I am having trouble connecting to several HTTP and FTP sites. I've noticed
> in the logs that the connections are being dropped with the message "unknown
> established TCP packet".
I believe this error is due to new state table functionality within
the firewall state table. CP may have changed how the state table works,
I need to do some testintg to confirm.
In versions prior to FW-1 4.1 SP2, a new entry could be added into the state
table using almost any packet (ACK, SYN/ACK, etc). As long as your rulebase
allowed the packet, the packet was accepted and an entry added to the state
table if needed.
However, I believe with SP2, only a SYN packet can build a session in the
state table. THat is why you are getting the error. There is most likely
no entry in the state table for the packet, even though the packet is a
non-SYN packet (indicating an ESTABLISHED connection).
As I said, I need to do some testing this weekend to confirm this. If
this is true, I'll update my Whitepaper on FW-1 state table :)
hope this helps ...
lance
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
