Hi Darren, > Which Solaris 10 Update are you using?
We're using Solaris 10 update 10. > Not as such. > What should happen is that the first SYN packet should prompt ipfilter to > discard the old state information quickly and in addition, drop that packet. > When the SYN gets retransmitted, state should get created. In most cases, this seems to happen. But there was a few cases where we saw the SYN packet get transmitted several times by the Linux client over a period of several minutes (e.g., 30 minutes) and the TCP connection would not setup until we disabled the firewall service and then things proceeded normally. Unfortunately we didn't dump the TCP state tables before we shutdown the ipfilter service. Once we get a test environment and can replicate this on, we'll try dumping the TCP state tables as well as logging rejected packets to try and get more information. Is there anything else we should gather in our diagnosis? Thanks a lot, --Kevin
