|
TCP sequence Validator dropped packet with invalid ACK number
Error in Log ViewerError: "TCP sequence Validator dropped packet with invalid ACK number" Connection blocked by the FireWall In FireWall-1 NG FP1 and FireWall-1 NG FP2 it is possible to validate connections according to TCP sequence numbers. FireWall-1 will check each TCP packet to see if it has the correct sequence number. For example, when using Asymmetric routing in which packets coming from the client pass through the FireWall but packets returning from the server do not go through the FireWall: 1. The client initiates the connection with a Syn packet (through the FireWall) 2. The server replies with a Syn-Ack (not through the FireWall) 3. The client replies with an Ack packet. The FireWall drops this packet because the TCP Sequence Validator expects a Syn-Ack packet. The validation is done according to the sequence number. To enable TCP Sequence Validator on NG FP2, Check 'Drop out of sequence packets packets' under TCP Sequence Verifier in the stateful Inspection tab in the Global Properties. To enable TCP Sequence Validator on NG FP1: Using dbedit, edit the following property to "true" in the objects_5_0.C: :fw_tcp_seq_verify ADDED 23/FEB/03 |