[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]

RE: [fw1-gurus] TCP packet out of state: First packet isn't SYN



Refer to page 86 of the ClusterXL.pdf 

TCP Out-of-State Error Messages
============================================================================
=====
When the synchronization mechanism is under load, TCP packet out-of-state
error
messages may appear in the information column of SmartTracker. This section
explains
how to resolve each error.

TCP packet out of state - first packet isn't SYN tcp_flags: FINACK
TCP packet out of state - first packet isn't SYN tcp_flags: FINPUSH-ACK

These messages occur when a FIN packet is retransmitted after deleting the
connection
from the connection table.

To solve the problem, in the SmartDashboard Global properties for Stateful
Inspection,
enlarge the TCP end timeout from 20 seconds to 60 seconds. If necessary,
also enlarge
the connection table so it won't get full.
============================================================================
=====
SYN packet for established connection

This message occurs when a SYN is received on an established connection, and
the
sequence verifier is turned off. The sequence verifier is turned off for a
non-sticky
connection in a cluster (or in SecureXL). Some applications close
connections with a
RST packet (in order to reuse ports).
To solve the problem, enable this behavior to specific ports or to all
ports. For example,
run the command:

fw ctl set -1 fw_trust_rst_on_port <port>

Which means that VPN-1\FireWall-1 should trust a RST coming from every port,
in
case a single port is not enough.
============================================================================
=====
Any other TCP out-of-state message

If any other out-of-state message appears, run the command:

fw ctl set fwconn_merge_all_syncs 1

This allows a more reliable way of merging TCP states across non-sticky
(asymmetric)
connections.

In a cluster with no asymmetric connections (all connection are sticky,
which means
that there are no encrypted and no static NAT connections), leave the
default value of
0 to gain better performance.
============================================================================
=====

HTH,

Regards,

Siddhartha Jain
Certified Information Systems Security Professional (CISSP)
IT Security Administrator
Bank Muscat (www.bankmuscat.com)
Phone: +968-768557



-----Original Message-----
From: Lee Cox [mailto:Lee.Cox@xxxxxxxxxxxx]
Sent: Monday, November 10, 2003 2:58 PM
To: 'fw1-gurus@xxxxxxxxxxxxxxxxxx'
Subject: [fw1-gurus] TCP packet out of state: First packet isn't SYN


I am using AI on IPSO 3.7 with 2 clustered fiewalls. When using apps all
load balance and failover works great. But when using VPN (secure client) I
seem to loose state sinc on occassions with the following message;
TCP packet out of state: First packet isn't SYN
                    	tcp_flags: SYN-ACK
ideas anybody.??

---------------------------------------------------------------------
FireWall-1 Gurus Mailing List (http://www.phoneboy.com/gurus)
To unsubscribe, mailto:fw1-gurus-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, mailto:fw1-gurus-help@xxxxxxxxxxxxxxxxxx

"This email message is intended for the named recipient only. It may be
privileged and/or confidential. If you are not the intended named recipient
of this email then you should not copy it or use it for any purpose, nor
disclose its contents to any other person which is strictly prohibited and unlawful"


---------------------------------------------------------------------
FireWall-1 Gurus Mailing List (http://www.phoneboy.com/gurus)
To unsubscribe, mailto:fw1-gurus-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, mailto:fw1-gurus-help@xxxxxxxxxxxxxxxxxx