Checkpoint Firewall -

Checkpoint Firewall - "out of state" packets causing isolated email delivery errors???
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Checkpoint Firewall - "out of state" packets causing isolated email delivery errors??? bhodgins 06-30-2005
Posted by on June 30, 2005, 12:24 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I have an issue that I'm really hoping someone knows about.

We had an old Exchange 2000 server that was failing with a internal IP
of 192.168.1.2, set up with static NAT on Checkpoint FW-1 NG FP3.
When I set up our new Exchange 2003 server on new hardware, I gave it
an internal IP of 192.168.1.4 so that it could co-exist with the old
server while the config was moved over, and a new anti-spam tested for
a month or so. I then went on the checkpoint server and changed the IP
address ending in the 2 to a 4 on the node that represents the internal
half of the static NAT.

Incoming mail works fine, internal mail works fine, 90% of the outgoing
mail reaches it's destination quickly. 10% of the mail doesn't reach
certain clients on the outside.

Tracing this, I find that the mail leaves our network, reaches the
destination mail server, then times out, comes back and sits in our
queue for a retry.

I tried everything from an Exchange/SMTP point of view, but everything
checked out. I then activated the second NIC in the mail server and
unplugged the Checkpoint Firewall from the network, and assigned the
outside NAT address of 207.x.x.163 to the 2nd NIC card of the new
Exchange server, and rebooted. After this ALL mail flows fine (without
the firewall).

When I talked to the client we had a problem sending mail to, he
observed that we were sending a lot of "out of state" packets coming
into his Checkpoint Firewall. His systems were in turn sending "out of
state" packets back. I figure this was his anti-spam requesting some
data from our mail server.

We have this problem with about 5 companies so far, including anyone at
a hotmail address.

Why is the firewall doing this?
Is there any way to fix the out of state packet problem?

Cheers,

Brad



Posted by Greg Hennessy on June 30, 2005, 8:57 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On 30 Jun 2005 12:24:53 -0700, bhodgins@idirect.ca wrote:


>Tracing this, I find that the mail leaves our network, reaches the
>destination mail server, then times out, comes back and sits in our
>queue for a retry.


The entire 'mail' leaves the network or the just part of the 3 way
handshake ?

Mail does not 'come back'. it either gets delivered or it doesnt.

Have you sniffed the traffic on the wire as it leaves your network ?


>When I talked to the client we had a problem sending mail to, he
>observed that we were sending a lot of "out of state" packets coming
>into his Checkpoint Firewall. His systems were in turn sending "out of
>state" packets back.

He's taking rubbish, no firewall I know of, sends 'out of state' packets
anywhere. Let alone back to the source.

Is he running some form of anti spam black holing ?


>I figure this was his anti-spam requesting some
>data from our mail server.
>
>We have this problem with about 5 companies so far, including anyone at
>a hotmail address.

1st question, have you checked *your* logs for inbound connections on
113/tcp from the remote mail server during the outbound mail session.

2nd question, are you sending back an RST for all connections to 113/tcp
rather than just ignoring it all together ?





greg
--
"Access to a waiting list is not access to health care"


Similar ThreadsPosted
Secure email delivery March 1, 2005, 8:07 am
Allow Out-of-State Packets for specific TCP services November 7, 2005, 5:15 pm
Best State of the Art Firewall. May 11, 2005, 11:28 pm
Firewall causing problems downloading? August 20, 2005, 9:35 am
Sidewinder errors. February 7, 2007, 5:20 am
Replication errors from a pix 525 August 13, 2008, 3:09 pm
FIREWALL: TCP State Check and Replay Check December 2, 2007, 8:21 am
'Connection refused' errors up the yin-yang December 25, 2005, 6:47 pm
Blackice Causing Reboots July 29, 2004, 12:35 pm
Cisco IP NGN Enables End-to-End Digital Video and IPTV Service Delivery for 'Video 2.0 December 12, 2006, 10:22 am

The site map in XML format XML site map

Contact Us | Privacy Policy