Skip to main content

NOKIA Firewall Block URL redirect

More
14 years 7 months ago #32275 by Dove
NOKIA Firewall Block URL redirect was created by Dove
Hi

I am using the NOKIA firewall which is facing the internet. Behind that I have Cisco CSM and it is configured for website redirect as below


serverfarm HTTP_REDIRECT
nat server
no nat client
redirect-vserver HTTP_REDIR
webhost relocation www.mywebsite2.com 301
inservice


vserver WEB-RD
virtual 192.168.1.10 tcp www
serverfarm HTTP_REDIRECT
persistent rebalance
inservice


Also I have the NOKIA rule saying anything from internet to 192.168.1.10 (NATed with public IP in NOKIA) on HTTP and HTTPS ports are permitted.


The above setup works fine but after 2 to 3 successfull redirect I get deny log on NOKIA saying "tcp packet out of state first packet isn't syn tcp_flags syn-ack"

And after some time (in few seconds) again it starts working. Hope some one should have face the same issue. Please can you help me on this to fix this.

Please let me know if you need any further clarification on this to understand my issue.

Thanks
Mahendra

Dove
More
14 years 7 months ago #32277 by Ranger24
Replied by Ranger24 on topic Re: NOKIA Firewall Block URL redirect
hi Dove,

Got the model number?

BTW Nokia Firewalls are now owned by Checkpoint. Might be worth a look around their site.

R
Patience - the last reserve of the any engineer
More
14 years 7 months ago #32278 by Dove
Replied by Dove on topic Re: NOKIA Firewall Block URL redirect
Hi Ranger24

Thanks for your reply. I don't think so it is related to NOKIA / Checkpoint. Though it is being blocked in NOKIA I suspect it is something related to TCP hand shake. I am not sure how to fix this.

Any inputs on this issue would help me a lot to narrow down the issue.

Thanks
Mahendra

Dove
More
14 years 7 months ago #32279 by Ranger24
Replied by Ranger24 on topic Re: NOKIA Firewall Block URL redirect
I'd consider tracing packets until you capture a example of a dropped packet.

If we consider the handshake is as follows:

1. The active open is performed by the client sending a SYN to the server. It sets the segment's sequence number to a random value.

2. In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number, and the sequence number is random.

3. Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value, and the acknowledgement number is set to one more than the received sequence number.

It suggests to me that the firewall is recieving a SYN-ACK packet without a corresponding SYN packet. if with tracing you can capture the SYN-ACK packet you can then figure out who is sending the packet.

R
Patience - the last reserve of the any engineer
More
14 years 4 months ago #33196 by Dove
Replied by Dove on topic Re: NOKIA Firewall Block URL redirect
Hi All,

I found the issue at last.

This is happening because of VRRP issue in NOKIA. VRRP between active standby NOKIA was flapping after fixing it everything works fine. :lol:


Thanks

Dove
Time to create page: 0.145 seconds