CP FW-1 NG out of state logs

[achilleus]

Thanks in advance for any help you might offer.

I am using CP FW-1 NG on a Windows 2000 Server box. When I view the logs I see a lot of dropped packets with an out of state type message (I can give the particular messages if that will help). My question is; is this normal? Are there supposed to be a certain number of dropped out of state packets? Or should I be concerned?

Thanks again! AJ
SA
HS

 

[covolo]

This error is the equivalent to the VPN-1/FireWall-1 4.1 error message:

"Unknown established TCP packet"

The error can be the result of several possible causes:

1. Dropping packets belonging to expired connections. Increasing the
timeout
of the related service can improve the situation.
2. Dropping packets after policy unload and load. In this case
connections
established when there is no policy are out of state, and cannot be
matched
to packets of already established connections.
3. Situations involving asymmetric routing, where all the TCP handshake
packets were missed.
4. Direction enforcement for unidirectional connections, where packet
flow
is in the opposite direction to the connection direction.
5. TCP handshake direction enforcement, where some of the TCP handshake
packets are in the wrong direction.
6. In Cluster Configurations ( i.e. StoneBeat FullCluster ), the state table between the nodes are not in Sync or the dafault sync time ( 100 ms ) is too long.