Re: Checkpoint rule 0 "unknown est. tcp connection" drops

[<black () galaxy silvren com>]

I applied the hotfix, it took care of the problem. Thanks for the help!
Since I thought it was a checkpoint problem, I did not bother to look on
Nokia's site. I am in fact running IPSO 3.4, I recently upgraded.

On a side note, BOTH of the firewalls (set up in a redundant fashion using
VRRP) crashed and rebooted within 10 minutes of coming up with the hotfix
applied. If anyone else is thinking of applying this without scheduling
downtime, I would be very careful and apply the hotfix at least 30 minutes
apart, so that if one of the firewalls decides to reboot you don't get
caught with your pants down.

After the crash, it's been stable... so far... and no more drops!

Again, thanks for the help!

On Wed, 8 Aug 2001, Andrew Huffer wrote:

> black:
>
> You did not mention what version of IPSO you are running.  Perhaps you
> might want to check out Nokia Resolution #5034.  There is an issue running
> FW-1 SP4 and IPSO 3.3 or 3.4 in conjunction with Flows enabled.  When
> packets move via Flows, FW-1 doesn't reset the timer value in the
> connections table.  There is a hotfix for this.
>
> The only other time that I have had this problem is when running two
> Nokias in parallel with VRRP.  The state syncronization update that FW-1
> provides is not fast enough to do asynchronous routing.  If the first
> firewall controls the outbound route, and the second controls the inbound
> route, FW-1's state syncronization isn't fast enough to update the second
> firewall of the connection.  So, when a return packet comes back through,
> the second firewall doesn't see that connection in the table and
> consequently drops it as an unknown established packet.
>
> Basically I couldn't do asynchronous routing and am forced to have one
> firewall waiting for the first to croak before actually handling any
> traffic.
>
> /ahuffer/
>
> Andrew Huffer         <==>    Andrew.Huffer () tellabs com
> Systems Security, GIS <==>    Tellabs Operations, Inc.
>
> On Tue, 7 Aug 2001 black () galaxy silvren com wrote:
>
> ==>Preamble:
> ==>
> ==>I checked phoneboy's site and also checkpoint, the only solution was to
> ==>simply disable the syn rulebase matching, which I eventually did and it
> ==>did in fact take care of the problem. However, I think that the syn
> ==>rulebase matching in general is seriously broken.
> ==>
> ==>Here are the details:
> ==>
> ==>In Checkpoint 4.1 they implement the syn rulebase match -- basically
> ==>meaning that the firewall will only pass TCP traffic after it's seen a
> ==>full syn->ack handshake.
> ==>
> ==>Right after I installed my firewall, I started seeing tons of rule 0 drops
> ==>in the logs, with the given info being "reason: unknown established TCP
> ==>packet"
> ==>
> ==>I thought "okay, this is normal, after a few minutes these messages should
> ==>go away as these old connections time out and new ones are established
> ==>through the firewall." The problem should basically take care of itself.
> ==>
> ==>Well, it didn't. I let it go for a full day and had just as many rule 0
> ==>drops when I first put the firewall in as I did 24 hours later. I know
> ==>that Checkpoint has a TCP session timeout which will remove a connection
> ==>from the state table if it's idle for longer than the timeout. I set the
> ==>timeout to 3600s.
> ==>
> ==>Users were complaining that interactive telnet sessions were dropping. I
> ==>also saw SMTP traffic being dropped because Checkpoint thought it was an
> ==>"unknown established." Since when does an SMTP connection go idle for an
> ==>hour?
> ==>
> ==>Obviously, something is not behaving as it should (interactive telnets
> ==>and SMTP should not be getting dropped due to timeouts). Does anybody else
> ==>use the syn rulebase matching, or do you have it disabled? Did you
> ==>encounter this problem? The only solution I found was to turn syn rulebase
> ==>matching off entirely.
> ==>
> ==>Checkpoint 4.1/SP4 running on the Nokia IP650 platform.
> ==>
> ==>Any information would be most beneficial.
> ==>
> ==>
> ==>
> ==>
> ==>_______________________________________________
> ==>firewall-wizards mailing list
> ==>firewall-wizards () nfr com
> ==>http://list.nfr.com/mailman/listinfo/firewall-wizards
> ==>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards