TCP Packet out of state

pnetcr · #1 (**permalink**) 2007-06-04

Have trawled through this forum and there's lots on the above but I still cant see a solution to my issue

NGX R60 / IP390 / NOKIA IPSO Clustering (Forwarding mode)

3rd party using FW1_clntauth_http (900) to Cluster object with SECURID. Cluster then passsing authentication request to internal ACE server which authenticates correctly. 3rd party is authorized to pass through firewall as appropriate client authentication rule dictates.

The problem appears to be totally randomly (all could be OK for 13 hours, 45mins, 3hours, etc) the individual firewall objects send back TCP out of state messages (First packet isnt SYN SYN-ACK & First packet isnt SYN RST-ACK) on source port 900 to the clients. This effectively de-authorizes them to use the appropriate rules they require. This affects all clients from the 3rd party at the same time and the problem seems to last a random period (25mins, 56mins, etc) before they can successfully authenticate and all is well again. What I cant understand is why the FW's does this as the 'Client Authentication Authorization Timeout' setting is set to 12 hours.

For reference there are loads of similar out of state messages on the logs for HTTP browsing. I understand the reasons for the messages (especially with clustering) but they are non problematic to the business, whereas the SECURID issue is!

I dont want to uncheck 'Drop out of state TCP packets' as this defeats the purpose of a FW.

I am not sure if this is just a 'feature' which I have to live with cause Im using clustering and some solutions like mine just aint cut out for it, however has anyone experienced something similiar before I have to start removing one of the FW's from the cluster, etc to get to the bottom of the issue.

Since migrating to NGX R60 / IP390 / NOKIA IPSO Clustering (Forwarding mode), all has been well for about the 20 services routing through the FW's apart from the above!!

gfont96 · #2 (**permalink**) 2007-06-05

Hi pnetcr,

I don't know if this is of any use but you could take a look at the following Solution ID: #sk11088 and disable the out-of-state checking for that particular port.

Cheers,

George

pnetcr · #3 (**permalink**) 2007-06-11

Worked a treat...Thanks

tech123 · #4 (**permalink**) 2007-08-06

Hi Pnetcr,

Does the solution hold good for provider-1 environment,Iam facing this problem(TCP out of state;first packet isn't SYNC) on my firewall which is not in cluster,IPSO 3.8.Could you please help on this.

Thank you
tech123

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode