Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Firewal-1 hangs temporarily

Status
Not open for further replies.
freddick

freddick

IS-IT--Management
Mar 14, 2005
34
0
0
US
I have a Nokia IP380 running Checkpoint Firewall-1NG, version 4.0.1.

The problem is that a few times per day I will suddenly get no Internet browsing or email services for about a minute. If I have Tracker, Monitor or Dashboard open when this happens I get a message that the connection to the firewall has been lost. However, at the same time, I can still ping to the outside world.

I can't find anything in the firewall log that would indicate a problem.

Any ideas on how to troubleshoot this or what it might be?
 
Sort by date Sort by votes
Do you have support a contract with Nokia? If so send them an ipsoinfo and cpinfo. Do you have the Nokia dumping it's logs to a syslog server? I'd check log the Nokia log files on the Nokia to see if the FW is stopping and starting. If it is you should see entries stating that the FW is stopping and starting. I'd also check the CP Trakcer logfiles to see if http traffic actually being stopped for that period of time.

If your Nokia is either rebooting the FW or CP daemons you'll need to find out whats triggering it. logfiles will be helpful.

good luck
 
Upvote 0 Downvote
Thanks for the suggestions! Here is some more information.

Looking at the ipsoinfo, I can tell that the fw has been up for 29 days.

Looking at Tracker and filtering for drops I see what seems to be a fair amount of...

TCP packet out of state: First packet isn't SYN tcp_flags: RST-ACK

these SYN errors have internal addresses as source and outside addresses as destination.

Any additional ideas would be greatly appreciated.
 
Upvote 0 Downvote
You could check /var/log/messages then vi the log files to see if you see any errors.
 
Upvote 0 Downvote
Or you could update to FP3 and see if you have the same issue
 
Upvote 0 Downvote
There can be loads of different reasons for the packet out of state errors.

Assuming you are only using 1 firewall (and not an HA pair) my guess would be incorectly setup interfaces (port speed and duplex)... you can check this with a netstat -i and see if you have crc errors or similar.

next you should check to see what there out of state errors have in common... do you use a proxy or something like that? Could be that this is on its way out?

The ip380 is a pretty solid and well specced machine, so unless you are doing a shed load of bandwidth it should be able to handle whatever you throw at it.. Checking the messages file should tell you if there is a problem with it.

Stu
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
101
hairlessupportmonkey
hairlessupportmonkey
NoCoolHandle
  • Locked
  • Question
TLS 1.0 vrs TLS 1.1 vrs 1.2 connection strategy question
Replies
1
Views
73
ChrisHirst
ChrisHirst
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
72
hall5942
hall5942
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
66
hall5942
hall5942
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
70
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top