What does the sync.conf look like? If you tcpdump the interfaces what shows
up? This sounds like a balancer issue not keeping state between the two
firewalls. What is the balancer? Rainfinity?
-----Original Message-----
From: Jack Coates [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 23, 2000 5:43 PM
To: Lance Spitzner
Cc: '[EMAIL PROTECTED]'
Subject: Re: [FW1] unkown established TCP packet
I'll be interested to see what you find. We're getting these messages a
lot of the time, even though our TCP synch process makes it nearly
impossible for that scenario (ACK or SYN/ACK showing up without a
preceding SYN) to happen. I suspect that it's looking at sequence number
and throwing the error message if sequence numbers aren't neatly in
order, because we usually see the error in mid data-stream after a VIP
moves.
--
Jack Coates, Rainfinity SE
t: 408-382-4860 m: 650-280-4376
Lance Spitzner wrote:
>
> On Wed, 23 Aug 2000, WAN Admin wrote:
>
> > I am having trouble connecting to several HTTP and FTP sites. I've
noticed
> > in the logs that the connections are being dropped with the message
"unknown
> > established TCP packet".
>
> I believe this error is due to new state table functionality within
> the firewall state table. CP may have changed how the state table works,
> I need to do some testintg to confirm.
>
> In versions prior to FW-1 4.1 SP2, a new entry could be added into the
state
> table using almost any packet (ACK, SYN/ACK, etc). As long as your
rulebase
> allowed the packet, the packet was accepted and an entry added to the
state
> table if needed.
>
> However, I believe with SP2, only a SYN packet can build a session in the
> state table. THat is why you are getting the error. There is most likely
> no entry in the state table for the packet, even though the packet is a
> non-SYN packet (indicating an ESTABLISHED connection).
>
> As I said, I need to do some testing this weekend to confirm this. If
> this is true, I'll update my Whitepaper on FW-1 state table :)
>
> hope this helps ...
>
> lance
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
