Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: NOKIA Firewall Block URL redirect

NOKIA Firewall Block URL redirect 7 years 2 months ago #32275

  • Dove
  • Dove's Avatar
  • Offline
  • Distinguished Member
  • Posts: 198
  • Thank you received: 1
  • Karma: 2
Hi

I am using the NOKIA firewall which is facing the internet. Behind that I have Cisco CSM and it is configured for website redirect as below


serverfarm HTTP_REDIRECT
nat server
no nat client
redirect-vserver HTTP_REDIR
webhost relocation www.mywebsite2.com 301
inservice


vserver WEB-RD
virtual 192.168.1.10 tcp www
serverfarm HTTP_REDIRECT
persistent rebalance
inservice


Also I have the NOKIA rule saying anything from internet to 192.168.1.10 (NATed with public IP in NOKIA) on HTTP and HTTPS ports are permitted.


The above setup works fine but after 2 to 3 successfull redirect I get deny log on NOKIA saying "tcp packet out of state first packet isn't syn tcp_flags syn-ack"

And after some time (in few seconds) again it starts working. Hope some one should have face the same issue. Please can you help me on this to fix this.

Please let me know if you need any further clarification on this to understand my issue.

Thanks
Mahendra

Dove
The administrator has disabled public write access.

Re: NOKIA Firewall Block URL redirect 7 years 2 months ago #32277

  • Ranger24
  • Ranger24's Avatar
  • Offline
  • Distinguished Member
  • Posts: 145
  • Karma: 0
hi Dove,

Got the model number?

BTW Nokia Firewalls are now owned by Checkpoint. Might be worth a look around their site.

R

Patience - the last reserve of the any engineer
The administrator has disabled public write access.

Re: NOKIA Firewall Block URL redirect 7 years 2 months ago #32278

  • Dove
  • Dove's Avatar
  • Offline
  • Distinguished Member
  • Posts: 198
  • Thank you received: 1
  • Karma: 2
Hi Ranger24

Thanks for your reply. I don't think so it is related to NOKIA / Checkpoint. Though it is being blocked in NOKIA I suspect it is something related to TCP hand shake. I am not sure how to fix this.

Any inputs on this issue would help me a lot to narrow down the issue.

Thanks
Mahendra

Dove
The administrator has disabled public write access.

Re: NOKIA Firewall Block URL redirect 7 years 2 months ago #32279

  • Ranger24
  • Ranger24's Avatar
  • Offline
  • Distinguished Member
  • Posts: 145
  • Karma: 0
I'd consider tracing packets until you capture a example of a dropped packet.

If we consider the handshake is as follows:

1. The active open is performed by the client sending a SYN to the server. It sets the segment's sequence number to a random value.

2. In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number, and the sequence number is random.

3. Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value, and the acknowledgement number is set to one more than the received sequence number.

It suggests to me that the firewall is recieving a SYN-ACK packet without a corresponding SYN packet. if with tracing you can capture the SYN-ACK packet you can then figure out who is sending the packet.

R

Patience - the last reserve of the any engineer
The administrator has disabled public write access.

Re: NOKIA Firewall Block URL redirect 6 years 11 months ago #33196

  • Dove
  • Dove's Avatar
  • Offline
  • Distinguished Member
  • Posts: 198
  • Thank you received: 1
  • Karma: 2
Hi All,

I found the issue at last.

This is happening because of VRRP issue in NOKIA. VRRP between active standby NOKIA was flapping after fixing it everything works fine. :lol:


Thanks

Dove
The administrator has disabled public write access.
Time to create page: 0.083 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup