Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
th_flags 2 message_info SYN packet for established connection
- Thread starter rdcd
- Start date
I found the answer with google:
Re: [FW-1] SYN packet for established connection -- message in NG log -- what does it mean?
--------------------------------------------------------------------------------
To: FW-1-MAILINGLIST@FW1-NOSPAMbeethoven.us.checkpoint.com
Subject: Re: [FW-1] SYN packet for established connection -- message in NG log -- what does it mean?
From: "Grabowski, David" <david.grabowski@FW1-NOSPAMUS.MIZUHO-SC.COM>
Date: Fri, 5 Apr 2002 12:11:50 -0500
Reply-To: Mailing list for discussion of Firewall-1 <FW-1-MAILINGLIST@FW1-NOSPAMbeethoven.us.checkpoint.com>
Sender: Mailing list for discussion of Firewall-1 <FW-1-MAILINGLIST@FW1-NOSPAMbeethoven.us.checkpoint.com>
Thread-Index: AcG/sg01yjWAZUemRMKolCL2flf6tQdDegqQ
Thread-Topic: SYN packet for established connection -- message in NG log -- what does it mean?
--------------------------------------------------------------------------------
This is a follow-up to my original posting. I solved the problem,
although the solution is, in my opinion, not an ideal one, since it
alters a default behavior of FW-1. A number of people have replied to me
off-line asking if the issue was solved. It's best to post a summary
here.
First, a bit of what I've learned about the FW-1 state table:
- An established TCP session will, by default, have a lifetime of 3600
seconds in the connections table. Every packet that traverses the
session will re-set the timer. Note that the lifetime is configurable
for each service in NG.
- After a session is closed (via FIN or RST packets), it enters a
"half-closed" state in FW-1. It remains in the connections table, but
its lifetime is reduced to 50 seconds. Note that this lifetime is a
global setting (tcpendtimeout)
- If a new connection is attempted (a SYN packet) that matches the
"half-closed" connection (meaning same source and destination IP's and
ports), it is dropped by the firewall as "SYN packet for established
connection" (even though the connection is no longer 'established'), and
the timer is re-set to 50 seconds.
The application that I am using uses statically-coded source ports for
its communications. This was done to allow the product to work with
non-stateful firewalls. Obviously, that's really not an issue anymore,
and the vendor is now planning to re-code their software to use dynamic
source ports.
The problem arises from the fact that the application will frequently
close connections, and then in less than 50 seconds, it will open them
again.
The "solution" was to decrease the default timer for half-closed
connections (tcpendtimeout) to a much smaller value -- 10 seconds. So
far, we haven't run into any problems with the application since the
change.
This does leave the potential for sessions to not properly close, but
for the most part, I think that the likelihood of a session taking more
than 10 seconds to close is relatively small.
For info on how to change the 'tcpendtimeout' parameter in NG, see the
knowledgebase. You need to use the 'dbedit' utility on your management
station.
-Dave
Re: [FW-1] SYN packet for established connection -- message in NG log -- what does it mean?
--------------------------------------------------------------------------------
To: FW-1-MAILINGLIST@FW1-NOSPAMbeethoven.us.checkpoint.com
Subject: Re: [FW-1] SYN packet for established connection -- message in NG log -- what does it mean?
From: "Grabowski, David" <david.grabowski@FW1-NOSPAMUS.MIZUHO-SC.COM>
Date: Fri, 5 Apr 2002 12:11:50 -0500
Reply-To: Mailing list for discussion of Firewall-1 <FW-1-MAILINGLIST@FW1-NOSPAMbeethoven.us.checkpoint.com>
Sender: Mailing list for discussion of Firewall-1 <FW-1-MAILINGLIST@FW1-NOSPAMbeethoven.us.checkpoint.com>
Thread-Index: AcG/sg01yjWAZUemRMKolCL2flf6tQdDegqQ
Thread-Topic: SYN packet for established connection -- message in NG log -- what does it mean?
--------------------------------------------------------------------------------
This is a follow-up to my original posting. I solved the problem,
although the solution is, in my opinion, not an ideal one, since it
alters a default behavior of FW-1. A number of people have replied to me
off-line asking if the issue was solved. It's best to post a summary
here.
First, a bit of what I've learned about the FW-1 state table:
- An established TCP session will, by default, have a lifetime of 3600
seconds in the connections table. Every packet that traverses the
session will re-set the timer. Note that the lifetime is configurable
for each service in NG.
- After a session is closed (via FIN or RST packets), it enters a
"half-closed" state in FW-1. It remains in the connections table, but
its lifetime is reduced to 50 seconds. Note that this lifetime is a
global setting (tcpendtimeout)
- If a new connection is attempted (a SYN packet) that matches the
"half-closed" connection (meaning same source and destination IP's and
ports), it is dropped by the firewall as "SYN packet for established
connection" (even though the connection is no longer 'established'), and
the timer is re-set to 50 seconds.
The application that I am using uses statically-coded source ports for
its communications. This was done to allow the product to work with
non-stateful firewalls. Obviously, that's really not an issue anymore,
and the vendor is now planning to re-code their software to use dynamic
source ports.
The problem arises from the fact that the application will frequently
close connections, and then in less than 50 seconds, it will open them
again.
The "solution" was to decrease the default timer for half-closed
connections (tcpendtimeout) to a much smaller value -- 10 seconds. So
far, we haven't run into any problems with the application since the
change.
This does leave the potential for sessions to not properly close, but
for the most part, I think that the likelihood of a session taking more
than 10 seconds to close is relatively small.
For info on how to change the 'tcpendtimeout' parameter in NG, see the
knowledgebase. You need to use the 'dbedit' utility on your management
station.
-Dave
- Status
Similar threads
- Locked
- Question
- Locked
- Question