View Full Version : TCP Packet out of state / unknown established TCP packet

2005-08-13, 15:19
TCP Packet out of state / unknown established TCP packet
TCP packet out of state is the message you see in FireWall-1 NG. In FireWall-1 4.1, it is "unknown established TCP packet"


This error message indicates one of two things:

The SYN packet was received on firewall A and the SYN-ACK packet received on firewall B (A and B are in a highly available configuration). This is an asymmetric routing condition and isn't supported.
An ACK packet was received for a valid connection going through the firewall, but that connection has since timed out of the connections table. This could be a connection that has been open for a while, but had no activity for the TCP timeout value (1 hour by default) or a connection that begun to establish itself (e.g. still in the 3-way handshake) but did not complete within the TCP start timeout.
You can tell FireWall-1 to allow these types of connections to re-establish themselves (i.e. revert back to pre-4.1 SP2 behaviour) by unchecking the "Drop out of state TCP" option under the Global Properties, Stateful Inspection frame. You can do this in NG FP2 or later. You can also disable just the logging in this screen as well. In NG FP1, use dbedit to change the following property (it will be zero, you need to make it a one):

:fw_allow_out_of_state_tcp (1)

In 4.1, you can revert to the old behavior by adding the following to $FWDIR/lib/fwui_head.def:


You can disable logging of these packets in FireWall-1 4.1 base or 4.1 SP1 by commenting out the following line in $FWDIR/lib/fwui_head.def (place two forward slashes '//' in front of the line).


In FireWall-1 4.1 SP2 and later, you would comment out the following line in $FWDIR/lib/fwui_head.def:


On an IPSO platform, you will sometimes see these messages in an HA configuration with firewall flows enabled if you are running IPSO 3.3-3.4.1 with FireWall-1 4.1. Make sure you are running FireWall-1 4.1 SP5 hotfix and IPSO 3.4.1 or disable flows with the command ipsofwd slowpath. You should add this command to the end of $FWDIR/bin/fwstart to make the change permanent.

It has been reported that multiple objects that refer to the same IP address, even if not used in the rulebase, can cause this error to occur.

You will also see this error message if you an asymmetric routing configuration, either by design or by accident.

-- RobertGraham - 06 Feb 2004

I have seen this allot with our setup of ClusterXL also. I just unchecked the logging of these messages. But I am guessing the reason this would happen might be similar to the IPSO with HA reason?
I think this message comes when there is no space left in firewall-1's state table for entering new connections. I have solved this problem by allowing state table for recording more connections..


The whole resynchronization stuff doesn't work if you use hide NAT mode. The reason is when the connection is resynchronized firewall creates new statefull entry and new NAT entry. New NAT entry means new source port, so the server you are trying to connect will respond with RST as it gets in-session packets with different source port.
-- MariuszWoloszyn - 20 Sep 2004

FAQs.Class: TroubleshootingFAQs