th_flags: 2 message_info: SYN packet for established connection

[mayur]

Hi,

I'm having a problem on a Nokia IP330 running NG FP2. Basically I have a webservers behind the firewall, which are being connected to via a proxy server on the other side of the internet.

About 10 times a day I get dropped packets in the logs (HTTP) with the message 'th_flags 2 message_info SYN packet for established connection'

The proxy is Microsoft proxy server, and isn't caching this particular website, and has pretty much default options set for everything (I think it defaults to 15 minutes for http sessions)

The firewall also has the default timeout options set (10 minutes for http)

Can anyone shed any light as to why these packets are being dropped?

will decreacing the http timeout on the firewall help?

Thanks in advance

[nooon]

Up please !

We have the same issue (R55)

- we enabled sequence number checking onto smart defense as proposed by ckpt KB
- we reduced the tcp-end timer from 50 to 10 sec

still getting these SYN packet for established connection !@#$

[RobertGraham]

Have you guys searched CHKP's SecureKnowledge database? There should be a technote that explains this is coming from SmartDefense and that you have to use dbedit to change the definition.

If memory serves, what's happening is MS Proxy is behaving in a way that doesn't jive with the connections table held for three way handshakes on the firewall. You can either do a packet capture and try to file a bug report with MS or you can use the SK article to disable the SmartDefense check. My preference is both. Disable SmartDefense and replace with a real IDS solution AND use proxy products(like BlueCoat) that don't mess up transmissions like MS does.

That's my two cents on this.

[nooon]

smartfdefense disabled, no ids, no ms proxy, and tcp-end timer decreased to 10s and still no luck !@#

[dr-spoof]

Your lucky with only 10, I see 1000's aday all revolvoing around NCP. No help from Check Point yet.

Quote:

Originally Posted by mayur

Hi,

I'm having a problem on a Nokia IP330 running NG FP2. Basically I have a webservers behind the firewall, which are being connected to via a proxy server on the other side of the internet.

About 10 times a day I get dropped packets in the logs (HTTP) with the message 'th_flags 2 message_info SYN packet for established connection'

The proxy is Microsoft proxy server, and isn't caching this particular website, and has pretty much default options set for everything (I think it defaults to 15 minutes for http sessions)

The firewall also has the default timeout options set (10 minutes for http)

Can anyone shed any light as to why these packets are being dropped?

will decreacing the http timeout on the firewall help?

Thanks in advance