[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] AW: [FW-1] Syn for established connection
I already applyied this solution but i guess this is not the right solution for us because the packet who are attempting to established is a Syn packet not a non_syn packet. --- fw1mail <[email protected]> wrote: >Hi ! > >Perhaps this checkpoint workaround is you solution ! > >Bye >Marco > > >************************************************************************ >************************************************* >What to do when receiving errors in Log Viewer: "th_flags ## >message_info TCP packet out of state" > >Solution ID: skI4308 >Creation Date: 08/16/2001 >Revised Date: 11/30/2001 > Email this solution > Rate this solution > > >Environment: Check Point NG, FireWall-1 NG, VPN-1 NG, Rule 0, Non SYN >packet, Connections table, Kernel, TCP, Logging > >Symptoms: >Error in Log Viewer: "th_flags ## message_info TCP packet out of >state"Drop logs on rule 0 > >Cause: >This error means that VPN-1/FireWall-1 intercepted a non-Syn packet >which does not have an entry in the FireWall's connections table. >FireWall-1 will therefore drop the packet. This error is the equivalent >to the VPN-1/FireWall-1 4.1 error message: "Unknown established TCP >packet". In VPN-1/FireWall-1 NG the mechanism has been improved and the >log may show more drops on rule 0 than were seen in FireWall-1 4.1. The >error can be the result of several possible causes: 1. Dropping packets >belonging to expired connections. Increasing the timeout of the related >service can improve the situation. 2. Dropping packets after policy >unload and load. In this case connections established when there is no >policy are out of state, and cannot be matched to packets of already >established connections. 3. Situations involving asymmetric routing, >where all the TCP handshake packets were missed. 4. Direction >enforcement for unidirectional connections, where packet flow is in the >opposite direction to the connection direction. 5. TCP handshake >direction enforcement, where some of the TCP handshake packets are in >the wrong direction. > >Solution: >To allow non-Syn packets which do not have state information in the >connections table to be matched against the Rule Base: > >On FireWall-1 NG FP1 and above >======================== >Using dbedit, edit the following property to "1" in the objects_5_0.C: >:fw_allow_out_of_state_tcp (0) >Press here to learn how to use dbedit > >On FireWall-1 NG HF2 (Hotfix-2) >======================== > >UNIX >-------- >1. Stop the FireWall (fwstop) > >2. Perform the following platform dependant command: > >Solaris: > >Add the following line to the /etc/system file >set fw:fw_allow_out_of_state_tcp = 1 > >Linux: > >Add the following parameter to the $FWDIR/bin/fwstart script. The change >should look like this: > >BEFORE - > >. . . . insmod $smp_prefix -f $fwmod kver=$kver . . . . . > >AFTER - > >. . . . insmod $smp_prefix -f $fwmod kver=$kver >fw_allow_out_of_state_tcp = 1. . . . > >3. Reboot the machine ! > >Windows NT / 2000 >----------------------------- >1. Add the following DWORD to the registry under: >HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters > >A variable named AllowOutOfStateTCP should be added with a value of 1. > >2. Reboot ! > > > >NOTE: If one wishes to just prevent these logs from getting into the Log >Viewer proceed as follows: > >UNIX >-------- >1. Stop the FireWall (fwstop) > >2. Perform the following platform dependant command: > >Solaris: > >Add the following line to the /etc/system file >set fw:fw_log_out_of_state_tcp = 0 > >Linux: > >Add the following parameter to the $FWDIR/bin/fwstart script. The change >should look like this: > >BEFORE - > >. . . . insmod $smp_prefix -f $fwmod kver=$kver . . . . . > >AFTER - > >. . . . insmod $smp_prefix -f $fwmod kver=$kver fw_log_out_of_state_tcp >= 0. . . . > > >3. Reboot the machine ! > >Windows NT / 2000 >----------------------------- >1. Add the following DWORD to the registry under: >HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters > >A variable named DisableLogOutOfStateTCP should be added with a value of >1. > >2. Reboot the machine ! >************************************************************************ >************************************************* > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= _____________________________________________________________ Where you'll find everything under the Sun for the Sun.......www.SunGuru.com _____________________________________________________________ Promote your group and strengthen ties to your members with [email protected] by Everyone.net http://www.everyone.net/?btn=tag ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|