Re: [FW1] unkown established TCP packet

Wed, 23 Aug 2000 14:51:15 -0700 


I'll be interested to see what you find. We're getting these messages a
lot of the time, even though our TCP synch process makes it nearly
impossible for that scenario (ACK or SYN/ACK showing up without a
preceding SYN) to happen. I suspect that it's looking at sequence number
and throwing the error message if sequence numbers aren't neatly in
order, because we usually see the error in mid data-stream after a VIP
moves.
-- 
Jack Coates, Rainfinity SE
t: 408-382-4860 m: 650-280-4376

Lance Spitzner wrote:
> 
> On Wed, 23 Aug 2000, WAN Admin wrote:
> 
> > I am having trouble connecting to several HTTP and FTP sites. I've noticed
> > in the logs that the connections are being dropped with the message "unknown
> > established TCP packet".
> 
> I believe this error is due to new state table functionality within
> the firewall state table.  CP may have changed how the state table works,
> I need to do some testintg to confirm.
> 
> In versions prior to FW-1 4.1 SP2, a new entry could be added into the state
> table using almost any packet (ACK, SYN/ACK, etc).  As long as your rulebase
> allowed the packet, the packet was accepted and an entry added to the state
> table if needed.
> 
> However, I believe with SP2, only a SYN packet can build a session in the
> state table.  THat is why you are getting the error.  There is most likely
> no entry in the state table for the packet, even though the packet is a
> non-SYN packet (indicating an ESTABLISHED connection).
> 
> As I said, I need to do some testing this weekend to confirm this.  If
> this is true, I'll update my Whitepaper on FW-1 state table :)
> 
> hope this helps ...
> 
> lance
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to