PDA

View Full Version : NGX R60 Upgrade --> TCP packet out of state



shaz86
2006-07-14, 10:32
We recently upgraded our management servers to NGX R60 running on SPLAT. Our firewalls still run FP3 on IPSO. 2 management stations are set up in a HA pair configuration. After upgrading we are getting a large number of log reports for dropped packets.from one pair of firewalls also set up in HA pair

th_flags: 12
message_info: TCP packet out of state
Source: Either one of the firewall management stations
Destination: The cluster IP of the firewalls
Service: Incrementing port numbers, the out of state packets started at port 10001 and they are now up to 38067

On the cluster properties dialog box in SmartDashboard for the firewalls with this problem:
Cluster Operating mode: High Availability
3rd Party Solution: Nokia VRRP
Use State Synchronization
Forward Clusters incoming traffic to cluster members IP Addresses

any information on why this is happening and why only one pair of firewalls managed by this station has been affected would help a lot

Thanks!

anwender140
2006-07-26, 07:14
Hello,

we have the same problem on our systems.

After upgrade from NG-AI-R55p HFA08 to NGX-R60 HFA03
we have >200 out of state messages/sec. for http on the internal interface from our proxy-server to different ip's.

An fast "fix" is disable the logging of tcp state informations. But this not are reason.

thanks for your help.

anwender140
2006-07-27, 09:02
Hello,

we have found our problem with to many "out of state" on http ( r60 ngx).

disable
web-intelligence->HTTP-Protocol Inspection-> ASCII Only Response Headers
web-intelligence->HTTP-Protocol Inspection-> ASCII Only Response Request

This settings reduce the system-load on our nokia about 40% too.

best regards

camel
2006-10-02, 11:59
hi you guys

may be, that you got a routing problem. if the fw cluster runs in "load sharing" and a request package goest through one of the nodes out but the answerg comes through the oter one back in, the message could appear i think. as I remember, I saw this some times.

have a look at the multicast configuration on your switches/routers

regards