The balancer is Rainwall, and synchronization is properly configured
("old" style). Snooping shows normal behavior (all handshake packets are
received by all nodes, data packets are distribute per router
round-robining). I think the new TCP analysis has a very short timeout.
--
Jack Coates, Rainfinity SE
t: 408-382-4860 m: 650-280-4376
Tim Cullen wrote:
>
> What does the sync.conf look like? If you tcpdump the interfaces what shows
> up? This sounds like a balancer issue not keeping state between the two
> firewalls. What is the balancer? Rainfinity?
>
> -----Original Message-----
> From: Jack Coates [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, August 23, 2000 5:43 PM
> To: Lance Spitzner
> Cc: '[EMAIL PROTECTED]'
> Subject: Re: [FW1] unkown established TCP packet
>
> I'll be interested to see what you find. We're getting these messages a
> lot of the time, even though our TCP synch process makes it nearly
> impossible for that scenario (ACK or SYN/ACK showing up without a
> preceding SYN) to happen. I suspect that it's looking at sequence number
> and throwing the error message if sequence numbers aren't neatly in
> order, because we usually see the error in mid data-stream after a VIP
> moves.
> --
> Jack Coates, Rainfinity SE
> t: 408-382-4860 m: 650-280-4376
>
> Lance Spitzner wrote:
> >
> > On Wed, 23 Aug 2000, WAN Admin wrote:
> >
> > > I am having trouble connecting to several HTTP and FTP sites. I've
> noticed
> > > in the logs that the connections are being dropped with the message
> "unknown
> > > established TCP packet".
> >
> > I believe this error is due to new state table functionality within
> > the firewall state table. CP may have changed how the state table works,
> > I need to do some testintg to confirm.
> >
> > In versions prior to FW-1 4.1 SP2, a new entry could be added into the
> state
> > table using almost any packet (ACK, SYN/ACK, etc). As long as your
> rulebase
> > allowed the packet, the packet was accepted and an entry added to the
> state
> > table if needed.
> >
> > However, I believe with SP2, only a SYN packet can build a session in the
> > state table. THat is why you are getting the error. There is most likely
> > no entry in the state table for the packet, even though the packet is a
> > non-SYN packet (indicating an ESTABLISHED connection).
> >
> > As I said, I need to do some testing this weekend to confirm this. If
> > this is true, I'll update my Whitepaper on FW-1 state table :)
> >
> > hope this helps ...
> >
> > lance
> >
> >
> ============================================================================
> ====
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> >
> ============================================================================
> ====
>
> ============================================================================
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
