Firewall Wizards mailing list archives
RE: Strange Pix behavior.
From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 16 Jun 2005 14:43:43 -0400
Hrm, that could explain why the other folks that have seen this problem
have fixed it with a code upgrade, if
the PIX is purging the table entry too soon.
I've seen this behavior in several different products at several different code levels. I'm sure I've seen it on a single PIX 515E as recently as 6.3(1). I've also seen it on Check Point R55, NetScreen ScreenOS 3.x (can't remember the exact dot-version), and iptables.
The problem could be caused on UDP traffic with a session timer set too
short. Come to think of it, that could
also cause the TCP session errors. This assumes that these protocols have
periods of time when there's no data
being transferred. If the remote server is heavily loaded and not sending
responses quickly, could that do it? It could, but if it were a timeout issue, you'd expect to see it coming from TCP protocols that have longer connection lives such as FTP or SSH. HTTP is, for the most part, lots of connections in rapid succession transferring relatively small quantities of data. Plus, I personally have never observed this type of behavior involving UDP, only TCP.
Although your explanation makes sense, it doesn't explain why this
behavior is only observed on occasional
firewalls, such as George's. It definitely sounds like state mismatch,
but I still think it's possible the HA
setup is part of the problem by causing delays in state table updating at
the beginning of the session. That could be a factor, though I don't think George specified whether or not the PIX's are actually synchronizing state tables, only that they were in a failover configuration. Also, as I mentioned before, I have observed this in a variety of firewalls, many of which were standalone systems. I fear that there is a much more likely and less technical explanation for why this behavior is not observed more often - most people don't read their log files, at least not in their raw entirety. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Strange Pix behavior. George J. Jahchan, Eng. (Jun 10)
- Re: Strange Pix behavior. Victor Williams (Jun 10)
- RE: Strange Pix behavior. Paul Melson (Jun 15)
- Re: Strange Pix behavior. Jim MacLeod (Jun 17)
- RE: Strange Pix behavior. Paul Melson (Jun 17)
- Re: Strange Pix behavior. Martin Mačok (Jun 18)
- Re: Strange Pix behavior. Jim MacLeod (Jun 17)
- <Possible follow-ups>
- Re: Strange Pix behavior. LazloCarreidas (Jun 13)
- Re: Strange Pix behavior. Jim MacLeod (Jun 17)
- RE: Strange Pix behavior. Paul Melson (Jun 17)