'[FW-1] problem with TCP sessions with fixed source and destination'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-1
Subject:    [FW-1] problem with TCP sessions with fixed source and destination
From:       marc.vandevliet () KBC ! BE
Date:       2002-11-29 13:51:08
[Download RAW message or body]

Hi !

For some time now we are having a problem with TCP sessions with fixed
source and destination sockets through a FW-1.

If such a session remains inactive for some time, the entry in the state
table expires and the session is dropped. The sender keeps on trying for
some time, then quits the session and tries to set up a new one (to the
same destination IP and port, off course). Nothing out of the ordinary,
there...

But, the SYN frames for this new session get dropped too. Special about
these sessions is that the source port is fixed (most IP stacks would use
an other source port). We know that using an other source port solves the
problem, but some applications always use the same and cannot be changed.

We also know that 'fast mode' solved the problem with FW-1 V4.1.
Unfortunately 'fast mode' is not statefull and is therefore considered less
safe. NG does not seem to have a 'fast mode' anymore.

We don't understand the reason why FW-1 drops these SYN frames.

We have found information about possible 'workarounds' but still would like
to know (and solve) the problem itself.

Has anybody got any suggestions ?

regards,

Marc Van de Vliet
KBC Bank & Verzekering
MecPark4 - CIT/ITL/8547
Bedrijvenlaan 4
B-2800 Mechelen

Tel: +32(0)15/35 24 41
marc.vandevliet@kbc.be



____________________________________________________
DISCLAIMER

This e-mail and any attached files are confidential and may be legally privileged. If \
you are not the addressee, any disclosure, reproduction, copying, distribution, or \
other dissemination or use of this communication is strictly prohibited. If you have \
received this transmission in error please notify KBC immediately and then delete \
this e-mail. KBC does not accept liability for the correct and complete transmission \
of the information, nor for any delay or interruption of the transmission, nor for \
damages arising from the use of or reliance on the information. All e-mail messages \
addressed to, received or sent by KBC or KBC employees are deemed to be professional \
in nature. Accordingly, the sender or recipient of these messages agrees that they \
may be read by other KBC employees than the official recipient or sender in order to \
ensure the continuity of work-related activities and allow supervision thereof.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic