TCP packet out of state

[oedipian]

Hi all,

Here is the problem I'm getting. I don't think this is due to my configuration of FW, but in the logs, I have the following line :

action - service - source - destination - comment
drop - http - XXXXXX - XXXXXXXXXXX - th_flags 11 message_info TCP packet out of state.

I don't understand why this packet is dropped, as this traffic has always been allowed and it worked well until today.

If anyone has a clue, I would be very thankful.

Regards,

Vincent
IT

 

[Piloria]

can i ask if this is internal routing or external.
one possibility is if you are using the firewall for internal routing and for some reason your internal routing has changed (outward packet is not via the firewall so return packet is out of state)
so the outward routing has changed to not include the firewall

 

[SgtB]

Here's a paper by Lance Spitzner explaing FW-1 state tables.

http://www.spitzner.net/fwtable.html

Once you better understand State, then you'll be more than prepared to tackle this issue.

If you do have other questions though, please let us know.

A little more background would be needed on your setup their as well. Is it a stand-alone firewall or do you have a distributed system set up? Is this nasty packet inbound or outbound. Is the destination your firewall or a webserver (or another server?) ________________________________________
Check out

http://www.security-forums.com