cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Kamiar_Sh
Nickel

upgrading security gateways in a cluster from R77.30 to R80.20

Hi All,

I have upgraded my cluster R77.30 to R80.20 last week and I faced an issue after upgrading as follow:

Unix server couldn`t send files to FTP server via FTP passive mode and after 2, 3 hours troubleshooting I disabled the SecureXL and issue resolved so do you have any suggestion or thought?

Thanks

0 Kudos
5 Replies
Employee
Employee

Re: upgrading security gateways in a cluster from R77.30 to R80.20

are there asymmetric traffic in this environment or Anti-Virus or IPS blade enabled in this environment to inspect FTP traffic?
0 Kudos
Kamiar_Sh
Nickel

Re: upgrading security gateways in a cluster from R77.30 to R80.20

after upgrading IPS was enabled but his act was only detect then I disabled it for time being 

0 Kudos
Employee
Employee

Re: upgrading security gateways in a cluster from R77.30 to R80.20

I saw a similar problem with terminal services, are there any symptom occurred on sk147093?

Kernel debug (fw ctl zdebug + drop) shows the following packet drops:
[DATE TIME];[kern];[tid_0];[SIM-206609312];update_tcp_state: invalid state detected (current state: 0x10000, th_flags=0x14, cdir=1) -> dropping packet, conn: [<SrouceIP,SourcePort,DestinationIP,DestinationPort,6>][PPK0];
[DATE TIME];[kern];[tid_0];[SIM-206609312];do_inbound: Possible TCP state violation for <SrouceIP,SourcePort,DestinationIP,DestinationPort,6> -> dropping packet ;
[DATE TIME];[kern];[tid_0];[SIM-206609312];do_packet_finish: SIMPKT_IN_DROP vsid=10, conn:<SrouceIP,SourcePort,DestinationIP,DestinationPort,6>;


Issue does not replicate when SecureXL is off.


Admin
Admin

Re: upgrading security gateways in a cluster from R77.30 to R80.20

Anytime disabling SecureXL "solves" a problem, open a TAC case.
Kamiar_Sh
Nickel

Re: upgrading security gateways in a cluster from R77.30 to R80.20

Hi All,

I want to share the solution that fixed my issue:

# fw ctl set int asm_allow_syn_with_data 1

but if you want it as permanent solution  the kernel file should be modified and gateway should be rebooted 

 

 

0 Kudos