[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] LinkProof, FW-1, and "unknown established TCP packet"s on SMTP
We have (happily) used LinkProofs for almost a year without any SMTP issues. Our mail server has a static NAT address for each T1 and we map URLs to local IP so that inbound and outbound traffic is balanced. When first installed SMTP worked with 2.16(?) but in order for our VPNs to work we had to use the No NAT feature found in 3.11 and higher. We are currently running 3.30.03. One difference from your setup is that we have private addressing on the internal servers. If your config has an actual address of 1.1.1.1 and you have it NATed to 1.1.1.1 on original ISP and 2.2.2.2 on new ISP then I am not sure what will happen. How long is your client aging time for SMTP? If the response comes back after the LP has cleared the connection it will pass the packet through without un-NATing it and that could cause these messages. Can you provide a layout of the IP subnets around the LP and server (using sample addresses) as well as NAT info? --- "Peter G. Viscarola" <[email protected]> wrote: > IP330 with FW-1 V4.1, SP5. > > For months we've been running this FW1 between a T1 > and our DMZ, which has a > mail and a list server on it. It's been running > fine. > > Yesterday, we added another T1 (from a different > ISP) and a LinkProof box > (by RadWare) to load balance both incoming and > outgoing traffic between the > two T1s. (The LinkProof box also NATs traffic from > the new ISP's network > address to the original ISPs network address, and > sends it off to the FW1 > who then dutifully sends it on to our DMZ). Our web > server is working fine > in this new configuration. > > Unfortunately, we're getting problems with SMTP > packets, both incoming and > outgoing, on both our mail and exchange server. The > problem is that many > SMTP packets are dropped with "unknown established > TCP packets". > > Many mail requests succeed. About 20 a minute fail. > The problem is not > confined to specific remote IP address, or outbound > T1. We're seeing errors > for both incoming and outgoing mail. > > The folks who make the LinkProof are stumped, at > least so far. > > Anybody have any ideas? Seen this before? Lacking > that, anybody actually > using a LinkProof to loadBalance SMTP traffic > outside a firewall-1? > > Thanks, > > Peter > > __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|