Error in logviewer "th_flags ## message_info TCP packet out of state" NG+

Error in logviewer "th_flags ## message_info TCP packet out of state" NG

This error was reported after a new install of NG FP1 on a Nokia appliance. Immediate symptoms were a slow network and a log full of errors "Error in Log Viewer: "th_flags 10 message_info TCP packet out of state" and "Error in Log Viewer: "th_flags 11 message_info TCP packet out of state".

The cause of this was later found to be a badly configured switch (port speed/duplex).

Other possible causes/fixes,

What to do when receiving errors in Log Viewer: "th_flags ## message_info TCP packet out of state"

Symptoms: Error in Log Viewer: "th_flags ## message_info TCP packet out of state" Drop logs on rule 0

Cause: This error means that VPN-1/FireWall-1 intercepted a non-Syn packet which does not have an entry in the FireWall's connections table. FireWall-1 will therefore drop the packet.

This error is the equivalent to the VPN-1/FireWall-1 4.1 error message: "Unknown established TCP packet". In VPN-1/FireWall-1 NG the mechanism has been improved and the log may show more drops on rule 0 than were seen in FireWall-1 4.1. The error can be the result of several possible causes:

1. Dropping packets belonging to expired connections. Increasing the timeout of the related service can improve the situation.
2. Dropping packets after policy unload and load. In this case connections
established when there is no policy are out of state, and cannot be matched to packets of already established connections.
3. Situations involving asymmetric routing, where all the TCP handshake packets were missed.
4. Direction enforcement for unidirectional connections, where packet flow is in the opposite direction to the connection direction.
5. TCP handshake direction enforcement, where some of the TCP handshake packets are in the wrong direction.

Solution: To allow non-Syn packets which do not have state information in the connections table to be matched against the Rule Base:

On FireWall-1 NG FP1 and above
========================
Using dbedit, edit the following property to "1" in the objects_5_0.C:
:fw_allow_out_of_state_tcp (0)

On FireWall-1 NG HF2 (Hotfix-2)
========================

UNIX
--------
1. Stop the FireWall (fwstop)

2. Perform the following platform dependant command:

Solaris:

Add the following line to the /etc/system file
set fw:fw_allow_out_of_state_tcp = 1

Linux:

Add the following parameter to the $FWDIR/bin/fwstart script. The change
should look like this:

BEFORE -

. . . . insmod $smp_prefix -f $fwmod kver=$kver . . . . .

AFTER -

. . . . insmod $smp_prefix -f $fwmod kver=$kver fw_allow_out_of_state_tcp = 1. . . .

3. Reboot the machine !

Windows NT / 2000
-----------------------------
1. Add the following DWORD to the registry under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters

A variable named AllowOutOfStateTCP should be added with a value of 1.

2. Reboot !

NOTE: If one wishes to just prevent these logs from getting into the Log Viewer proceed as follows:

UNIX
--------
1. Stop the FireWall (fwstop)

2. Perform the following platform dependant command:

Solaris:

Add the following line to the /etc/system file
set fw:fw_log_out_of_state_tcp = 0

Linux:

Add the following parameter to the $FWDIR/bin/fwstart script. The change
should look like this:

BEFORE -

. . . . insmod $smp_prefix -f $fwmod kver=$kver . . . . .

AFTER -

. . . . insmod $smp_prefix -f $fwmod kver=$kver fw_log_out_of_state_tcp = 0. . . .

3. Reboot the machine !

Windows NT / 2000
-----------------------------
1. Add the following DWORD to the registry under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters

A variable named DisableLogOutOfStateTCP should be added with a value of 1.

2. Reboot the machine !

How to allow specific TCP services to be established in the connections table without enforcing the 'Out of State' mechanism

In FireWall-1 NG FP2 it is possible to write a special INSPECT function that will enable types of TCP connections (Services) to be established in the connections table without enforcing the 'Out of State'. Disabling this mechanism for a specific Service will mean that Non Syn packets that do not belong to an established connection in the FireWall's connections table will not be dropped but rather matched against the rulebase.

For example, if you want the telnet service to be exempt from TCP state checking (for connection establishment only!) you can edit the $FWDIR/lib/user.def on the FireWall-1 management station as follows:

1.

#ifndef __user_def__
#define __user_def__

//
// User defined INSPECT code
//

deffunc user_accept_non_syn() { dport = 23 }

#endif /* __user_def__ */

2. Save the changes.
3. Install the policy.

Jim Parker 24/JUNE/02

< back