RE: [fw-wiz] Strange Pix behavior.

• Previous message: Jim MacLeod: "Re: [fw-wiz] Strange Pix behavior."
• In reply to: Jim MacLeod: "Re: [fw-wiz] Strange Pix behavior."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Jim MacLeod'" <jmacleod@gmail.com>
Date: Thu, 16 Jun 2005 14:43:43 -0400

> Hrm, that could explain why the other folks that have seen this problem
have fixed it with a code upgrade, if
> the PIX is purging the table entry too soon.

I've seen this behavior in several different products at several different
code levels. I'm sure I've seen it on a single PIX 515E as recently as
6.3(1). I've also seen it on Check Point R55, NetScreen ScreenOS 3.x (can't
remember the exact dot-version), and iptables.

> The problem could be caused on UDP traffic with a session timer set too
short. Come to think of it, that could
> also cause the TCP session errors. This assumes that these protocols have
periods of time when there's no data
> being transferred. If the remote server is heavily loaded and not sending
responses quickly, could that do it?

It could, but if it were a timeout issue, you'd expect to see it coming from
TCP protocols that have longer connection lives such as FTP or SSH. HTTP
is, for the most part, lots of connections in rapid succession transferring
relatively small quantities of data. Plus, I personally have never observed
this type of behavior involving UDP, only TCP.

> Although your explanation makes sense, it doesn't explain why this
behavior is only observed on occasional
> firewalls, such as George's. It definitely sounds like state mismatch,
but I still think it's possible the HA
> setup is part of the problem by causing delays in state table updating at
the beginning of the session.

That could be a factor, though I don't think George specified whether or not
the PIX's are actually synchronizing state tables, only that they were in a
failover configuration. Also, as I mentioned before, I have observed this
in a variety of firewalls, many of which were standalone systems.

I fear that there is a much more likely and less technical explanation for
why this behavior is not observed more often - most people don't read their
log files, at least not in their raw entirety.

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Jim MacLeod: "Re: [fw-wiz] Strange Pix behavior."
• In reply to: Jim MacLeod: "Re: [fw-wiz] Strange Pix behavior."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages SV: Firewall Basics ... based firewalls since having two PIX firewalls would leave you vulnerable to ... the same exploits if a hole in PIX was found. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... (Security-Basics) [Full-disclosure] Cisco PIX TCP Connection Prevention ... Cisco PIX TCP ... Connection Prevention, posted on November 22, 2005. ... By sending a TCP SYN packet with an incorrect checksum through a PIX ... (Full-Disclosure) [Full-disclosure] Cisco PIX TCP Connection Prevention ... Cisco PIX TCP ... Connection Prevention, posted on November 22, 2005. ... By sending a TCP SYN packet with an incorrect checksum through a PIX ... (Full-Disclosure) RE: [fw-wiz] Appropriate PIX logging level ... the messages from the pix when it rejects a broadcast packet (I'm ... getting 43,000 log entries per day based on the firewalls rejecting ... If what you need is for the PIX to handle but not log certain policy events, ... (Firewall-Wizards) Re: Choosing a Firewall ... > firewalls. ... We currently have a PIX 506e and seem to be running into some ... If you need to setup PPTP to the firewall, WG makes it simple to setup ... If you need branch-office ipsec dedicated tunnels, ... (comp.security.firewalls)