FireWall-1 FAQ: TCP Packet Out Of State
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
TCP packet out of state is the message you see in FireWall-1 NG. In FireWall-1 4.1, it is “unknown established TCP packet”. This error message indicates one of two things:
- The SYN packet was received on firewall A and the SYN-ACK packet received on firewall B (A and B are in a highly available configuration). This is an asymmetric routing condition and isn’t supported.
- An ACK packet was received for a valid connection going through the firewall, but that connection has since timed out of the connections table. This could be a connection that has been open for a while, but had no activity for the TCP timeout value (1 hour by default) or a connection that begun to establish itself (e.g. still in the 3-way handshake) but did not complete within the TCP start timeout.
You can tell FireWall-1 to allow these types of connections to re-establish themselves (i.e. revert back to pre-4.1 SP2 behaviour) by unchecking the “Drop out of state TCP” option under the Global Properties, Stateful Inspection frame. You can do this in NG FP2 or later. You can also disable just the logging in this screen as well. In NG FP1, use dbedit to change the following property (it will be zero, you need to make it a one):
:fw_allow_out_of_state_tcp (1)
In 4.1, you can revert to the old behavior by adding the following to $FWDIR/lib/fwui_head.def:
#define ALLOW_NON_SYN_RULEBASE_MATCH
You can disable logging of these packets in FireWall-1 4.1 base or 4.1 SP1 by commenting out the following line in $FWDIR/lib/fwui_head.def (place two forward slashes ‘//’ in front of the line).
#define CLUSTER_RULEBASE_MATCH_LOG
In FireWall-1 4.1 SP2 and later, you would comment out the following line in $FWDIR/lib/fwui_head.def:
#define NON_SYN_RULEBASE_MATCH_LOG
On an IPSO platform, you will sometimes see these messages in an HA configuration with firewall flows enabled if you are running IPSO 3.3-3.4.1 with FireWall-1 4.1. Make sure you are running FireWall-1 4.1 SP5 hotfix and IPSO 3.4.1 or disable flows with the command ipsofwd slowpath. You should add this command to the end of $FWDIR/bin/fwstart to make the change permanent.
It has been reported that multiple objects that refer to the same IP address, even if not used in the rulebase, can cause this error to occur.
You will also see this error message if you an asymmetric routing configuration, either by design or by accident.
