T. Horsnell (tsh) wrote:
tcp 6 431253 ESTABLISHED src=10.2.0.4 dst=131.111.85.78 sport=49278 dport=143 [UNREPLIED] src=131.111.85.78 dst=10.2.0.4 sport=143 dport=49278 use=1
'ESTABLISHED' 'UNREPLIED' seems an odd combination to me.
This is happening when the firewall only sees packets travelling in
one direction. That is, 10.2.0.4 uses the firewall as its gateway
to talk to 131.111.85.78, but since 131.11.85.78 knows about the
10.x.x.x network, it replies directly to 10.2.0.4, so the firewall
is missing half of the conversation. It doesn't look to me like this
particular connection has hanged.
Do you have any DNAT rules on the firewall? This kind of assymetrical
routing does cause problems with DNAT, since the firewall doesn't get
a chance to reverse the DNAT in the reply packets, and the symptom is
that the connection hangs.
I dont yet know why traffic between our 10. hosts and our
131.111 hosts should generate a conntrack entry at all...
If the packets go via the firewall, then a conntrack entry will
always be created.
--
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com
