thanks for the advise Torkel.
best regards,
Gabriel
From: Torkel Mathisen <Torkel.Mathisen AT ERGO DOT NO>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] gfb: th_flags 2 message_info syn packet for establishe
d connection
Date: Mon, 25 Oct 2004 16:58:05 +0200
Hi
I don't know why FW1 isn't terminating the connection if it
receives a FIN or RST as you say it does.
However; in FP3 with some HFA you can specify if you would
allow this behaviour for certain ports. We had to do this
for some printapplication that just didn't want to change
source port.
You will have to upgrade from FP2 tho to atleast FP3 and
some HFA which I don't remember. (or R54 or R55 ofcourse)
Regards,
Torkel
> -----Original Message-----
> From: gabriel borrageiro [mailto:gborrageiro AT HOTMAIL DOT COM]
> Sent: 21. oktober 2004 13:04
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] gfb: th_flags 2 message_info syn packet for
> established
> connection
>
>
> greetings friends!
>
> I am getting dropped packets with erro message info "th_flags
> 2 message_info
> syn packet for established connection".
> From what I've read about this error on Nokia support "This
> error can be
> seen when FireWall-1 receives a new connection from a source to a
> destination over the same port/service as a connection that
> was recently
> closed with a FIN or RST. FireWall-1 hangs onto these
> connections until the
> tcpendtimeout is reached".
>
> If a FIN or RST was sent, why is FW1 trying to hang onto
> these connections?
> It is stopping our client's application from working.
> From what I see, the client is trying to re-initialize the application
> session, but FW1 is (NG2) is terminating the connection as it
> is seeying
> packets sent with SYN flag when it does not expect to see this over an
> ESTABLISHED session. Whilst this is correct, the error
> condition seems to
> exist only because FW1 has hung onto the session, when the
> the server most
> likely sent a FIN or RST a while ago.
>
> thank you for your help.
>
>
>
> best regards,
>
> Gabriel
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
