We saw similar error messages namely "Invalid Packets Rejected" on otherwise legitimate incoming packets, on a GB-1000 running version 3.4.0 when our ISP mistakenly set the packet MTU (Maximum Transmission Unit) size, too small on our leased line routers.
While servers behind the GB-1000 firewall and remote workstations used the MTU discovery protocol on TCP session startup, to find the smallest MTU packet size in the full intervening path. They worked as long as inbound tunnels did not have the "hidden source" option set. If the packets were destine to the GB-1000 itself in the case of the email proxy or hidden inbound tunnels. The GB-1000 failed to look at the MTU size of the inbound packets to itself and instead replied with the standard Ethernet MTU size of its actual interface, and got the packets rejected by the leased line router. So in your case the GB-1000 could be replying normally to inbound smtp but gets some of its replies dropped due to MTU size. The sender doesn't see the reply and sends the packet again, which the GB-1000 then sees as unexpected! If your suffering problem due to small MTU size, try setting an inbound tunnel to have its source address hidden. You should then see some remote clients using Linux or OSX to have problems seeing that site, and the firewall will log other "Invalid or unexpected" errors for that inbound communication. The reason Linux and OSX will have problems is the Unix TCP/IP stack is a lot striker than Microsoft Windows. Also if the problem is MTU size on your own leased line a packet anaylser should find ICMP reject packets indicating a problem with MTU size coming from your router going to the firewall. This problem was reported to GTA and they acknowledge the problem. I believe it has been fixed in version 3.4.1, but of course we managed to get our ISP to correct the MTU packet size on their routers for our leased line so it went away all by itself. So I can't confirm that. Hope helps --Andrew Gray Linnet Solutions Ltd UK On Thu, 2004-02-26 at 13:13, Jason Sopko wrote: > I am getting a lot of these error messages in my log files on an older > GB-1000: > > Feb 26 07:58:54 orpheus id=firewall time="2004-02-26 07:58:54" > fw="orpheus" pri=4 flt_type=default flt_action=block msg="Rejecting > unexpected packet" proto=25/tcp src=62.90.145.131 srcport=3389 > dst=66.207.128.61 dstport=25 interface=fxp1 flags=0x4 > > Feb 26 07:58:54 orpheus id=firewall time="2004-02-26 07:58:54" > fw="orpheus" pri=4 flt_type=default flt_action=block msg="Rejecting > unexpected packet" proto=25/tcp src=209.195.183.177.46 srcport=3389 > dst=66.207.128.62 dstport=25 interface=fxp1 flags=0x4 > > Feb 26 07:58:57 orpheus id=firewall time="2004-02-26 07:58:57" > fw="orpheus" pri=4 flt_type=default flt_action=block msg="Rejecting > unexpected packet" proto=25/tcp src=69.6.77.186 srcport=47162 > dst=66.207.128.62 dstport=25 interface=fxp1 flags=0x4 > > These are legitimate packets that are inbound destined for internal mail > servers, and should be allowed into my network. I was first alerted to > the problem yesterday, when I was told by another sysadmin that he > couldn't send me email, as it was being returned to him after his mail > server gave up trying to send it to my mail server. > > This prompted me to review my log files, and I noticed that this > behavior was happening over the past year and a half. There are messages > such as these in the logs since I've installed the firewall (was > purchased used). > > I'm running GB-1000 Version: 3.3.4s. The firewall seems to be working > fine otherwise, as other mail servers connect fine, as do my mail > servers connect fine outbound. Other services are working fine, also, > including ssh, http, https, imap, imaps, pop3, ftp, etc. Both inbound > and outbound. So the problem appears to be sporadic, and not from any > specific subnet/s. > > Is it possible that this firewall is starting to die? If anybody can > shed some light as to what might be happening, I would appreciate it. > Thanks in advance. > > ///Jason > > ------------------------------------------------------ > To unsubscribe: [EMAIL PROTECTED] > For additional commands: [EMAIL PROTECTED] > Archive: http://archives.gnatbox.com/gb-users/ Regards Andrew Gray <[EMAIL PROTECTED]> OpenPGP <www.linnetsol.co.uk/andyg.gpg> Linnet Solutions Ltd [demime 0.98e removed an attachment of type application/pgp-signature which had a name of signature.asc] ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
