Firewall Wizards mailing list archives
Re: Checkpoint rule 0 "unknown est. tcp connection" drops
From: Andrew Huffer <Andrew.Huffer () tellabs com>
Date: Wed, 8 Aug 2001 08:01:10 -0500 (CDT)
black: You did not mention what version of IPSO you are running. Perhaps you might want to check out Nokia Resolution #5034. There is an issue running FW-1 SP4 and IPSO 3.3 or 3.4 in conjunction with Flows enabled. When packets move via Flows, FW-1 doesn't reset the timer value in the connections table. There is a hotfix for this. The only other time that I have had this problem is when running two Nokias in parallel with VRRP. The state syncronization update that FW-1 provides is not fast enough to do asynchronous routing. If the first firewall controls the outbound route, and the second controls the inbound route, FW-1's state syncronization isn't fast enough to update the second firewall of the connection. So, when a return packet comes back through, the second firewall doesn't see that connection in the table and consequently drops it as an unknown established packet. Basically I couldn't do asynchronous routing and am forced to have one firewall waiting for the first to croak before actually handling any traffic. /ahuffer/ Andrew Huffer <==> Andrew.Huffer () tellabs com Systems Security, GIS <==> Tellabs Operations, Inc. On Tue, 7 Aug 2001 black () galaxy silvren com wrote: ==>Preamble: ==> ==>I checked phoneboy's site and also checkpoint, the only solution was to ==>simply disable the syn rulebase matching, which I eventually did and it ==>did in fact take care of the problem. However, I think that the syn ==>rulebase matching in general is seriously broken. ==> ==>Here are the details: ==> ==>In Checkpoint 4.1 they implement the syn rulebase match -- basically ==>meaning that the firewall will only pass TCP traffic after it's seen a ==>full syn->ack handshake. ==> ==>Right after I installed my firewall, I started seeing tons of rule 0 drops ==>in the logs, with the given info being "reason: unknown established TCP ==>packet" ==> ==>I thought "okay, this is normal, after a few minutes these messages should ==>go away as these old connections time out and new ones are established ==>through the firewall." The problem should basically take care of itself. ==> ==>Well, it didn't. I let it go for a full day and had just as many rule 0 ==>drops when I first put the firewall in as I did 24 hours later. I know ==>that Checkpoint has a TCP session timeout which will remove a connection ==>from the state table if it's idle for longer than the timeout. I set the ==>timeout to 3600s. ==> ==>Users were complaining that interactive telnet sessions were dropping. I ==>also saw SMTP traffic being dropped because Checkpoint thought it was an ==>"unknown established." Since when does an SMTP connection go idle for an ==>hour? ==> ==>Obviously, something is not behaving as it should (interactive telnets ==>and SMTP should not be getting dropped due to timeouts). Does anybody else ==>use the syn rulebase matching, or do you have it disabled? Did you ==>encounter this problem? The only solution I found was to turn syn rulebase ==>matching off entirely. ==> ==>Checkpoint 4.1/SP4 running on the Nokia IP650 platform. ==> ==>Any information would be most beneficial. ==> ==> ==> ==> ==>_______________________________________________ ==>firewall-wizards mailing list ==>firewall-wizards () nfr com ==>http://list.nfr.com/mailman/listinfo/firewall-wizards ==> _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 06)
- Re: Re: Code Red: What security specialist don't mention inwarnings(Frank Knobbe) Paul Cardon (Aug 07)
- Checkpoint rule 0 "unknown est. tcp connection" drops black (Aug 07)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops Andrew Huffer (Aug 08)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops black (Aug 10)
- Re: Checkpoint rule 0 "unknown est. tcp connection" drops Lance Spitzner (Aug 10)
- Checkpoint rule 0 "unknown est. tcp connection" drops black (Aug 07)
- Re: Re: Code Red: What security specialist don't mention inwarnings(Frank Knobbe) Paul Cardon (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Marcus J. Ranum (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Damir Rajnovic (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Predrag Zivic (Aug 10)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Marcus J. Ranum (Aug 07)