Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
31323334353637383940
Chapter 3 Troubleshooting Network Address Translation Resolving Common NAT Problems
Advanced Technical Reference Guide 4.1 June 2000 27
default value is 1 Minute. This value is the waiting value between a SYN packet and a SYN-ACK packet. If this
counter is timed out, the connection will be erased from the tables.
If the connection is resumed and is no longer in the tables it can pass with no translation because it is absent
from the NAT tables.
In this scenario, one can increase the value of this parameter in order to increase the waiting period for the
SYN-ACK packet. Bear in mind that this change will increase the size of the tables, because the deletion of
each entry will be postponed.
4. Increase the value of the TCP end timeout (tcpendtimeout):
This workaround is for a situation where leaky NAT happens in the closing phase of the connection.
In the Objects.C file, set the tcpendtimeout value. The default value is 50 Seconds.
This is the waiting time between the time that the two peers sent their FIN or RESET packets, and the time that
the last ACK was sent. When the time is exceeded, the connection is deleted from the tables. A packet that is
sent through after that time will not be translated.
5. Change the relevant service to a service of type 'other' and not 'TCP':
This ensures that packets will be inspected on the outbound interface too.
6. Applying the ACK Denial-Of-Service hotfix.
The ACK DOS hotfix prevents packets in established TCP connections from being checked against the Rule
Base. This way, if a connection is not registered in the tables, it will be dropped with no exceptions.
This workaround is rather extreme since it will drop each connection that has been idle for more than 3600 sec.
It was originally developed to block Denial Of Service Attacks.
The following INSPECT code should be added to the $FWDIR/lib/code.def file (at the end of the file,
just before the #endif statement).
After completing the edit, reinstall the security policy.
For version 4.0-based installations, this code will also log these events.
#ifndef ALLOW_NONFIRST_RULEBASE_MATCH
tcp, first or <conn> in old_connections or
(
#ifndef NO_NONFIRST_RULEBASE_MATCH_LOG
(
<ip_p,src,dst,sport,dport,0> in logged
)or(
record <ip_p,src,dst,sport,dport,0> in logged,
set sr10 12, set sr11 0, set sr12 0, set sr1 0,
log bad_conn
)or1,
#endif
vanish
);
#endif