<\/span><\/h3>\nBefore Smart Connection Reuse was added to the Check Point software package any SYN that came to the firewall which matched an exsisting connection (same source\/destination port\/ip) would be dropped and a log message of “SYN on Established Connection” would be created. \nThis feature prevents new connections from being unnecessarily dropped. \n<\/span><\/p>\n<\/span>What else do I need to know ? <\/strong><\/span><\/h3>\nThis feature can be useful but certain setups and situatio can cause this feature not to function as per design. Such as,<\/p>\n
\nThe server is not responding to the ACK with a RST which would tell the Firewall this is a new connection and allow it to pass the SYN.<\/li>\n The servers RST response to the SYN isn\u2019t reaching the Firewall.<\/li>\n The server\/client is not correctly closing down the connection, causing the connection state information on the firewall to remain.<\/li>\n Another firewall is blocking the ACK or RST.<\/li>\n<\/ul>\n<\/span> Solution \n<\/strong><\/span><\/h2>\nYou may find you have a scenario which fits one of the above points, and ACK packets are leaving the firewall and no response is being given. In which case the initial 3 way handshake is failing.<\/p>\n
To allow for the firewall to allow a SYN through a established connection the following kernel global setting should be applied.<\/p>\n
<\/span>Temporarily<\/span><\/h3>\nIn order to set the option Temporarily (does not survive reboot) the following kernel settings is applied.<\/p>\n
\nfw ctl set int fw_reuse_established_conn [port_number]<\/li>\n<\/ol>\n<\/span>IPSO<\/span><\/h3>\n\nmodzap fw_reuse_established_conn $FWDIR\/boot\/modules\/fwmod.o [port_number]<\/strong><\/li>\nThen reboot<\/li>\n<\/ol>\n<\/span>SPLAT<\/span><\/h3>\n\nAdd the line “fw_reuse_established_conn=[port_number]<\/strong>” to the file $FWDIR\/boot\/modules\/fwkern.conf <\/strong><\/li>\nThen Reboot<\/li>\n<\/ol>\nFurther details of changing kernel global parameters can be found within sk26202 (Changing the kernel global parameters on all platforms). \n<\/span><\/p>\n<\/span>References<\/span><\/h2>\n\nsk33285 – Kernel Global Parameters<\/li>\n sk39455 – Why does the firewall change certain SYN packets to ACK packets ?<\/li>\n sk24960 – VPN-1\/FireWall-1 NG with AI R54 modifies some SYN packets, and changes them to ACK<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"Issue The initial SYN packets from your client to your server are\u00a0 translated by your Firewall into ACK packets. This in turn\u00a0 prevents the initial 3 way handshake establishing. Below shows an example, Inbound 15:32:19.546115 I 10.1.1.1.12345 > 192.168.1.1.1111: S 2292544025:2292544025(0) win 49640 <mss 1460,nop,wscale 0,nop,nop,sackOK> (DF) 15:32:22.924625 I 10.1.1.1.12345 > 192.168.1.1.1111: S 2292544025:2292544025(0) win … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[],"yoast_head":"\nCheck Point is changing SYN packets to ACKs ? - Fir3net<\/title>\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\t \n\t \n\t \n