Re: Checkpoint rule 0 "unknown est. tcp connection" drops

[Andrew Huffer <Andrew.Huffer () tellabs com>]

black:

You did not mention what version of IPSO you are running.  Perhaps you
might want to check out Nokia Resolution #5034.  There is an issue running
FW-1 SP4 and IPSO 3.3 or 3.4 in conjunction with Flows enabled.  When
packets move via Flows, FW-1 doesn't reset the timer value in the
connections table.  There is a hotfix for this.

The only other time that I have had this problem is when running two
Nokias in parallel with VRRP.  The state syncronization update that FW-1
provides is not fast enough to do asynchronous routing.  If the first
firewall controls the outbound route, and the second controls the inbound
route, FW-1's state syncronization isn't fast enough to update the second
firewall of the connection.  So, when a return packet comes back through,
the second firewall doesn't see that connection in the table and
consequently drops it as an unknown established packet.

Basically I couldn't do asynchronous routing and am forced to have one
firewall waiting for the first to croak before actually handling any
traffic.

/ahuffer/

Andrew Huffer           <==>    Andrew.Huffer () tellabs com
Systems Security, GIS   <==>    Tellabs Operations, Inc.

On Tue, 7 Aug 2001 black () galaxy silvren com wrote:

==>Preamble:
==>
==>I checked phoneboy's site and also checkpoint, the only solution was to
==>simply disable the syn rulebase matching, which I eventually did and it
==>did in fact take care of the problem. However, I think that the syn
==>rulebase matching in general is seriously broken.
==>
==>Here are the details:
==>
==>In Checkpoint 4.1 they implement the syn rulebase match -- basically
==>meaning that the firewall will only pass TCP traffic after it's seen a
==>full syn->ack handshake.
==>
==>Right after I installed my firewall, I started seeing tons of rule 0 drops
==>in the logs, with the given info being "reason: unknown established TCP
==>packet"
==>
==>I thought "okay, this is normal, after a few minutes these messages should
==>go away as these old connections time out and new ones are established
==>through the firewall." The problem should basically take care of itself.
==>
==>Well, it didn't. I let it go for a full day and had just as many rule 0
==>drops when I first put the firewall in as I did 24 hours later. I know
==>that Checkpoint has a TCP session timeout which will remove a connection
==>from the state table if it's idle for longer than the timeout. I set the
==>timeout to 3600s.
==>
==>Users were complaining that interactive telnet sessions were dropping. I
==>also saw SMTP traffic being dropped because Checkpoint thought it was an
==>"unknown established." Since when does an SMTP connection go idle for an
==>hour?
==>
==>Obviously, something is not behaving as it should (interactive telnets
==>and SMTP should not be getting dropped due to timeouts). Does anybody else
==>use the syn rulebase matching, or do you have it disabled? Did you
==>encounter this problem? The only solution I found was to turn syn rulebase
==>matching off entirely.
==>
==>Checkpoint 4.1/SP4 running on the Nokia IP650 platform.
==>
==>Any information would be most beneficial.
==>
==>
==>
==>
==>_______________________________________________
==>firewall-wizards mailing list
==>firewall-wizards () nfr com
==>http://list.nfr.com/mailman/listinfo/firewall-wizards
==>

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards