This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FW dropping ACK, RST/ACK & FIN/ACK packets though packets are from valid sessions

Does the ASG function in this manner?

When the firewall receives a TCP RST for an existing session it immediately clears the session from the session table. This means there is no longer a valid session for the TCP RST/ACK to pass through. Hence, the firewall will treat the TCP RST/ACK as a non-SYN first packet and drop it.

Thanks,

Jim

This thread was automatically locked due to age.

Parents

0 BarryG over 15 years ago

Hi Bob,
Although both situations have the solution of adding a packetfilter rule, this wasn't really the same problem.

In this case, these are VALID http sessions, but Astaro's tcp connection tracker times out the session before the browser does, and when the browser tries to do another http request, it tries to 'renew' the same tcp connection, but Astaro's connection tracker already forgot about it, so Astaro logdrops the packet.
For me, this was causing Astaro's logs to fill up with over 300,000 entries per day!

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BarryG over 15 years ago

Hi Bob,
Although both situations have the solution of adding a packetfilter rule, this wasn't really the same problem.

In this case, these are VALID http sessions, but Astaro's tcp connection tracker times out the session before the browser does, and when the browser tries to do another http request, it tries to 'renew' the same tcp connection, but Astaro's connection tracker already forgot about it, so Astaro logdrops the packet.
For me, this was causing Astaro's logs to fill up with over 300,000 entries per day!

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data