TCP packet out of state

[gfont96]

Hello All,

We have a sun java application server version 8.1 using a JDBC connection to and oracle daabase. The application server is in one DMZ the database in an other.

I keep seeing in the logs the following error ' TCP connection out of state, First Packet isn't a SYN : TCP Flags' then it gives me random tcp flags, sometimes ACK, sometimes PUSH, ACK etc

This keeps breaking the application and we have to restart the application server.

I have unchecked 'drop out of state tcp packets' and we'll see what happens.

What sort of issue is it having it unchecked (performance ? / Security ?)

Can anyone tell me what might be happening with the communication and how I might troubleshoot it ?

Manager is NGXR60 HFA03 Windows 2K, modules are NGXR60 HFA03 running on SPLAT in HA mode (active, passive)

Cheers all, have a good weekend

George

[northlandboy]

Most likely the problem is related to the database opening connections, then not using them for over an hour (the default TCP service timeout). You can increase the timeout for certain services - check the advanced button on the service definition. You could try putting it up to 2 hours.

Another thing to try is changing the tcp_keepalive_interval on the hosts, using ndd. (This assumes HP-UX or Solaris, there will be some similar way of changing it on other OSes). Default keepalive_interval is 2 hours, but Check Point's default timeout is 1 hour. If an OS has a session with no traffic up for two hours, it sends a tcp keepalive packet. If it gets no response, it closes the session. If you set the keep alive interval to under an hour, then Check Point should register the session as still open, and reset the timer.

Thirdly, I have heard of some issues with the sqlnet service defined in Check Point. You might want to do some research into that, I think there are some things you can do with that. Have a look in SecureKnowledge.

[northlandboy]

Oh, and I meant to add, that allowing out of state TCP packets is a massive security risk. If you're going to do that, why bother with using Check Point at all? Just install a Cisco router with basic access lists, and save yourself the license fee.

Think carefully through the implications of allowing out of state traffic - you've now disabled Check Point's vaunted "Stateful Inspection" What would happen if I was to send 25,000 acks through your firewall? It would allow them, and add them to your connection tables, filling it up.

I could also use it for port scanning pretty trivially.

[gfont96]

Thanks Northlandboy,

I have since looked on the Sun website and found a document for the 'developers' showing them how to configure their boxes to allow them to function correctly via a firewall !.

Cheers,

George