Firewall Wizards mailing list archives
Re: Checkpoint rule 0 "unknown est. tcp connection" drops
From: <black () galaxy silvren com>
Date: Thu, 9 Aug 2001 10:23:46 -0400 (EDT)
I applied the hotfix, it took care of the problem. Thanks for the help! Since I thought it was a checkpoint problem, I did not bother to look on Nokia's site. I am in fact running IPSO 3.4, I recently upgraded. On a side note, BOTH of the firewalls (set up in a redundant fashion using VRRP) crashed and rebooted within 10 minutes of coming up with the hotfix applied. If anyone else is thinking of applying this without scheduling downtime, I would be very careful and apply the hotfix at least 30 minutes apart, so that if one of the firewalls decides to reboot you don't get caught with your pants down. After the crash, it's been stable... so far... and no more drops! Again, thanks for the help! On Wed, 8 Aug 2001, Andrew Huffer wrote:
black: You did not mention what version of IPSO you are running. Perhaps you might want to check out Nokia Resolution #5034. There is an issue running FW-1 SP4 and IPSO 3.3 or 3.4 in conjunction with Flows enabled. When packets move via Flows, FW-1 doesn't reset the timer value in the connections table. There is a hotfix for this. The only other time that I have had this problem is when running two Nokias in parallel with VRRP. The state syncronization update that FW-1 provides is not fast enough to do asynchronous routing. If the first firewall controls the outbound route, and the second controls the inbound route, FW-1's state syncronization isn't fast enough to update the second firewall of the connection. So, when a return packet comes back through, the second firewall doesn't see that connection in the table and consequently drops it as an unknown established packet. Basically I couldn't do asynchronous routing and am forced to have one firewall waiting for the first to croak before actually handling any traffic. /ahuffer/ Andrew Huffer <==> Andrew.Huffer () tellabs com Systems Security, GIS <==> Tellabs Operations, Inc. On Tue, 7 Aug 2001 black () galaxy silvren com wrote: ==>Preamble: ==> ==>I checked phoneboy's site and also checkpoint, the only solution was to ==>simply disable the syn rulebase matching, which I eventually did and it ==>did in fact take care of the problem. However, I think that the syn ==>rulebase matching in general is seriously broken. ==> ==>Here are the details: ==> ==>In Checkpoint 4.1 they implement the syn rulebase match -- basically ==>meaning that the firewall will only pass TCP traffic after it's seen a ==>full syn->ack handshake. ==> ==>Right after I installed my firewall, I started seeing tons of rule 0 drops ==>in the logs, with the given info being "reason: unknown established TCP ==>packet" ==> ==>I thought "okay, this is normal, after a few minutes these messages should ==>go away as these old connections time out and new ones are established ==>through the firewall." The problem should basically take care of itself. ==> ==>Well, it didn't. I let it go for a full day and had just as many rule 0 ==>drops when I first put the firewall in as I did 24 hours later. I know ==>that Checkpoint has a TCP session timeout which will remove a connection ==>from the state table if it's idle for longer than the timeout. I set the ==>timeout to 3600s. ==> ==>Users were complaining that interactive telnet sessions were dropping. I ==>also saw SMTP traffic being dropped because Checkpoint thought it was an ==>"unknown established." Since when does an SMTP connection go idle for an ==>hour? ==> ==>Obviously, something is not behaving as it should (interactive telnets ==>and SMTP should not be getting dropped due to timeouts). Does anybody else ==>use the syn rulebase matching, or do you have it disabled? Did you ==>encounter this problem? The only solution I found was to turn syn rulebase ==>matching off entirely. ==> ==>Checkpoint 4.1/SP4 running on the Nokia IP650 platform. ==> ==>Any information would be most beneficial. ==> ==> ==> ==> ==>_______________________________________________ ==>firewall-wizards mailing list ==>firewall-wizards () nfr com ==>http://list.nfr.com/mailman/listinfo/firewall-wizards ==> _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 06)
- Re: Re: Code Red: What security specialist don't mention inwarnings(Frank Knobbe) Paul Cardon (Aug 07)
- Checkpoint rule 0 "unknown est. tcp connection" drops black (Aug 07)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops Andrew Huffer (Aug 08)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops black (Aug 10)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops Lance Spitzner (Aug 10)
- Checkpoint rule 0 "unknown est. tcp connection" drops black (Aug 07)
- Re: Re: Code Red: What security specialist don't mention inwarnings(Frank Knobbe) Paul Cardon (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Marcus J. Ranum (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Damir Rajnovic (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 11)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Marcus J. Ranum (Aug 07)