Sending the ping isn't the problem.
What we're finding as we're digging into the packets is that some clients when
they connect to some hosts (not really a 1 for 1 matchup) maintain their source
MAC and their router interface MAC on the packet all the way to the firewall.
Well, it doesn't match the firewall's MAC address, so it just drops it.
we're looking at this as a ROUTER issue now instead.
We've turned off VRRP (the address that was bogusly showing up)
We've cleaned ARP cache on all parties involved
We're still having the same issue.
I don't think this is a FW1 issue any more.
THANK YOU EVERYONE FOR YOUR HELP! I'll let you know what we find! :-)
----- Original Message -----
From: Dahl-Stamnes Jørn <Jorn.Dahl-Stamnes AT EDB DOT COM>
Date: Thursday, October 28, 2004 0:35 am
Subject: Re: [FW-1] Cannot connect until after ping
> This is probably not a problem on you FW. It's on your client
> trying to do
> the HTTP connection.
> I have seen this on several HP-UX boxes. They always seem to send
> a ICMP
> packet before they start other sessions.
>
> > -----Original Message-----
> > From: Mailing list for discussion of Firewall-1
> > [FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]On Behalf
> > Of Erik A.
> > Widholm
> > Sent: 27. oktober 2004 14:31
> > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > Subject: Re: [FW-1] Cannot connect until after ping
> >
> >
> > Additional details:
> >
> >
> > The switch's perspective (monitor port, using Ethereal 0.10.7):
> > 1 0.00000 66.185.250.1 -> portfolio.moody.edu HTTP C port=2521
> > 2 2.99032 66.185.250.1 -> portfolio.moody.edu HTTP C port=2521
> > 3 5.93445 66.185.250.1 -> portfolio.moody.edu HTTP C port=2521
> > 4 20.52164 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> > 5 3.01498 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> > 6 5.26413 66.185.250.1 -> portfolio.moody.edu ICMP Echo
> > request (ID: 512 Sequence number: 62977)
> > 7 0.00000 portfolio.moody.edu -> 66.185.250.1 ICMP Echo
> > reply (ID: 512 Sequence number: 62977)
> > 8 0.77089 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> > 9 0.00082 portfolio.moody.edu -> 66.185.250.1 HTTP R port=2531
> > 10 0.00015 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> >
> > FW1's perspective (fw monitor):
> > 1 0.00000 66.185.250.1 -> portfolio.moody.edu ICMP Echo
> > request (ID: 512 Sequence number: 62977)
> > 2 0.00011 66.185.250.1 -> portfolio.moody.edu ICMP Echo
> > request (ID: 512 Sequence number: 62977)
> > 3 0.00001 66.185.250.1 -> portfolio.moody.edu ICMP Echo
> > request (ID: 512 Sequence number: 62977)
> > 4 0.00002 66.185.250.1 -> portfolio.moody.edu ICMP Echo
> > request (ID: 512 Sequence number: 62977)
> > 5 0.00046 portfolio.moody.edu -> 66.185.250.1 ICMP Echo
> > reply (ID: 512 Sequence number: 62977)
> > 6 0.00003 portfolio.moody.edu -> 66.185.250.1 ICMP Echo
> > reply (ID: 512 Sequence number: 62977)
> > 7 0.00001 portfolio.moody.edu -> 66.185.250.1 ICMP Echo
> > reply (ID: 512 Sequence number: 62977)
> > 8 0.00001 portfolio.moody.edu -> 66.185.250.1 ICMP Echo
> > reply (ID: 512 Sequence number: 62977)
> > 9 0.77262 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> > 10 0.00019 66.185.250.1 -> portfolio.moody.edu HTTP C port=2531
> >
> > You will notice that FW1 doesn't even see the connection
> > until after the ICMP has started! Look at the port numbers of
> > the http request...
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
