Re: FW: Web server route lost

[Matt Dunn <matt () electrocentric com>]

Those of you more knowledgable about FW-1 on NT can feel free to correct
me, but the first thing I'd check is the NIC and the associated drivers.
The fact that you couldn't ping that network from the firewall machine
shouldn't have anything to do with FW-1, unless it's blocking local source
packets, which I've never seen it do (in my admittedly limited experience).
I have, however, seen NT (and other i386 based operating systems)
inexplicably drop a network interface and give no indication that it has
done so aside from the errors that are caused by its absence.

Some questions to ask yourself:
Have any changes been made to the hardware/drivers recently?
Have any Service Packs or other system/hardware patches been done recently?

If someone else has an idea of why FW-1 might be causing this, I'd defer to
that advice first, since it's generally easier to play with application
settings than it is to grab a screwdriver for a production machine, but
given the information I have, that'd be my course of action.

Hope this helps, 

-Matt

At 08:58 AM 08/24/1999 -0500, you wrote:
> I'm running FW-1, ver 3.0b, on an NT platform, using 5 interface cards - 1
> internal, 1 Internet, 1 "web DMZ" that has 3 web servers, and 2 private
> "client DMZs".  The firewall is doing NAT.  All incoming traffic to the
> legal addresses of our web servers (216.60.18.nn) are translated to the
> corresponding illegal address on the web DMZ (192.160.0.nn).  The firewalled
> gateway's internal routing table has static routes to each of these
> translated addresses.
>
> Yesterday, something was causing the firewall's route to our primary web
> server to be lost.  All http traffic destined to this web server, while the
> firewall accepted it, was lost.  Even though the firewall's routing table
> looked ok, I couldn't even ping the web server's internal IP from the
> firewall, or from any PC which had to go through the firewall to get to the
> web server.  The only PCs that could access the web server (ping or http)
> were those on the same web DMZ segment.  I stopped and started the FW-1
> service, and we rebooted the web server, but with no result.  Finally, I
> rebooted the firewall and, voila, the route came back.  This happened 3
> times during the day.  Each time, the fix was the same - reboot the
> firewall.
>
> Checking the firewall's logs, the only thing I could find that remotely
> indicated any problem was some "SYN/ACK - RST" entries immediately preceding
> the problem.  The source of these entries were 3 different sites.  I
> contacted the first site's administrator and they are checking their proxy
> logs to locate the source.  However, at this point, I'm not certain the
> failed SYN acknowledgments (potential SYN flooding) were the cause of the
> problem.  Our firewall logs potential SYN flooding attacks daily, but has
> never lost a route until yesterday.  The firewall's SYNDefender policy
> method is "Passive SYN Gateway"; the Timeout value is 50 seconds, and the
> Maximum Session is set for 5000.
>
> If anyone has encountered this problem before, or has any ideas what caused
> the problem and how to fix it, I'd appreciate your help.
>
> Thanks!
>
> Gary Lee
> Phone: 918/588-6262