Re: Checkpoint

Email lists > CheckPoint Firewall-1 discussion

Thread: Re: Checkpoint

Search this list only Search all lists
Re: Checkpoint
	2008-03-28 18:07:00
Possibly a stale arp entry? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM] On Behalf Of Mike Darr Sent: Saturday, 29 March 2008 6:55 AM To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Checkpoint Well....the first thing I tried next was to reboot our router. This fixed the issue. Seems something was in the routing table that wanted an old connection. Personally I am alarmed none of you thought of this. If I wanted flamed I would of posted it on Google Groups. Thanks for your expertise anyway David. Mike -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM] On Behalf Of David DeSimone Sent: Monday, March 24, 2008 7:03 PM To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Checkpoint -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Darr <mike.darrMACPAPERS.COM> wrote: > > I am getting drops on our new server in the firewall with no rule > number stating that the "TCP Packet is out of state. First packet > isn't SYN tcp_flags:RST". I tried unchecking Drop out of state > packets in the Global properties. I also tried increasing TCP End > Timeout. Did not work. I am running NG R55 Build 127. Personally I am alarmed that you tried enabling out-of-state packets to proceed through your network, as that is no solution at all. Since the TCP flags show a reset, it means that the connection is being aborted for some reason. Perhaps the server is tracking an old connection, but the firewall has already forgotten about it. Increasing the TCP End timeout seems like a good idea, but perhaps it has not been increased enough. I suggest you go through your firewall logs and look for the Source and Destination ports that match up with when the connection actually started, and compare that timestamp with the time when the RST was sent. You may find that it is many hours difference between the two. You might want to enable TCP keep-alives on your Windows server, so that it sends dummy data packets more often, which can keep TCP sessions alive in your firewall's state table. - -- David DeSimone == Network Admin == foxverio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFH6DM/FSrKRjX5eCoRAonNAJ9yGp+KwBbSnPnmJy9/+iSSdh5tpgCf c+Tz P7s+shx2exoVUu4QPJg2jCM= =/l/y -----END PGP SIGNATURE----- Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com ================================================= ############################################################ ######################### Important: This electronic message and attachments (if any) are confidential and may be legally privileged. If you are not the intended recipient do not copy, disclose or use the contents in any way. Please let us know by return e-mail immediately and then destroy this message. ############################################################ ######################### Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com =================================================

[1]

about | contact Other archives ( Real Estate discussion Medical topics )

Mailing lists