 | ||
 TCP sequence validator: dropped packet with invalid ACK number | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
 |
| | LinkBack | Thread Tools | Display Modes |
 2007-07-16 | |||
| |||
 TCP sequence validator: dropped packet with invalid ACK number Hi, Need some advise on the following error message : TCP sequence validator: dropped packet with invalid ACK number Fast facts Gateway : Nokia IP 440 IPSO 3.7 Build 031 Checkpoint : R55 Host A : AIX box Host B : Unix box Host C : Destination server FW policy Source Destination TCP Port Action Host A -> Host C -> TCP 3140 -> Accept (error message) * Telnet from host A via TCP 3140. No connection Host B -> Host C -> TCP 3140 -> Accept (no error message) * Telnet from Host C via TCP 3140, connection is working fine. Both Host A & Host B are sitting in the same IP segment (same switch). With all other parameters remaining contstant (same destination, same TCP port), we cannot identify where goes wrong. The fact is that using the same TCP port, one host is working but not the other. Could someone assist to advise what could be the issue and any work around. Thank you. Last edited by mel4fun : 2007-07-16 at 20:18.  |
| 2007-07-17 | |||
| |||
| Re: TCP sequence validator: dropped packet with invalid ACK number Do you have IPSO Flows enabled on the Nokia. I see you are using IPSO 3.7 and Check Point R55, so the Nokia will be on IPSO flows to accelerate traffic rather then SecureXL. If flows is enabled then disable the feature as not supported to have flows and sequence verifier enabled on the same box, or disable the sequence verifier. I see that one is AIX and one is another flavour of UNIX. I have seen issues where different flavours of UNIX implement differently. I have seen issues similar to this with FTP Servers and clients as well. Of course I presume that you realise that the hardware and the IPSO versions you are on are all out of support now for some time. |
| 2007-07-17 | |||
| |||
| Re: TCP sequence validator: dropped packet with invalid ACK number Hi, Thanks for the advice. Problem found, and a silly mistake. There is a static route on the Nokia for Host A, but pointing to the wrong interface. Instead of pointing inwards, it was pointing outwards to the external router. Therefore, when we initiate the TCP 3140 from Host A, the return TCP ACK from Host C never return, thus the error. The TCP ACK is bouncing between the firewall external and router interface. Silly mistake but glad that we resolve it. |
|
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
