Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: debug checkpoint fw-1 on nokia ipso

from [Riku Valli] Network Security [Permanent Link]
Subject: Re: debug checkpoint fw-1 on nokia ipso
Date: Wed, 19 Jan 2005 13:41:20 +0200 
Hi

Problem is that it's VRRP and OSPF used together. Some sitation interfaces
flapped and VRRP changed states very quickly. OSPF can't injection VRRP's
virtual IP address to routing tables so OSPF going to broken (ipsord die)
sometimes fwd die.

This configuration isn't supported by Nokia. First IPSO when this
configuration is supported is IPSO 3.8B31.

There is some where a scripts which may be help you at some scenarios...
http://www.deathstar.ch/security/fw1/OperatingSystemIPSO/files/monitor-script.pdf

and other which should shut down OSPF when platform isn't master Original is
made by Nokia, but i think you can't found it from Nokia support site.
Symptoms is high CPU load, coredumps, crashs etc. so Nokia support site is
detailed explanation why your systen can't work.

I recommed at you upgraded your system or tried found this kind of scripts
which are above.....some of command are version depend ;-) and them aren't
officially supported.

Remember when You upgraded vrrp rules changed lot.

-- Riku

Sorry about top posting M$ rulez

----- Original Message ----- 
From: "Andrew Shore" <andrew.shore@holistecs.com>
To: "Pablo Hauser" <pablohauser@yahoo.com.ar>; "Markus Wernig"
<listener@wernig.net>; <firewalls@securityfocus.com>
Sent: Tuesday, January 18, 2005 10:28 AM
Subject: RE: debug checkpoint fw-1 on nokia ipso


A couple or so years ago I had a similar problem with an IP330.

For about two weeks the unit exhibited similar problems (although we had
only one, no fail over)

Finally after much head scratching the unit went pop and never worked
again!

Perhaps it is some kind of hardware issue? We never got to the bottom of
it, ours was under warrantee and the replacement was fine.

Sorry, this probably won't help.

Andy

-----Original Message-----
From: Pablo Hauser [mailto:pablohauser@yahoo.com.ar]
Sent: 15 January 2005 08:57
To: 'Markus Wernig'; firewalls@securityfocus.com
Subject: RE: debug checkpoint fw-1 on nokia ipso

Weird. Sometimes happened to me that \var\fw\log\ahclientd.log "tilts"
and continues non-stop growing for some reason, and that causes similar
troubles as yours, but it doesn't stop by itself as in your case...

__________________________________________________

Pablo D. Hauser

Security Operations Center
IMPSAT






-----Mensaje original-----
De: Markus Wernig [mailto:listener@wernig.net]
Enviado el: Viernes, 14 de Enero de 2005 18:31
Para: firewalls@securityfocus.com
Asunto: debug checkpoint fw-1 on nokia ipso


Hi list

We're having severe trouble with an old installation of checkpoint's
fw-1
(ver. 4.1 sp6) on nokia ipso 3.5-FCS14. ("upgrade", i hear you say. yes,

we're at it, but it will take more time than we have to solve this)

Symptoms: At random times the box gets 100% loaded, i.e.
- a constant 0% cpu idle time reported by vmstat (with 99% in system, 1%
in
user mode)
- shell is almost unresponsive (charactes on prompt echoed at a rate of
one
per 30 seconds, commands never returning, login taking about 10 minutes)
- box practically stops forwarding any traffic
- interface throughput drops to zero on ALL interfaces (measured in
retrospect
on switch and in ipso interface statistics)
- box takes about 3 seconds to reply to icmp echo-request
- box stops sending out OSPF and VRRP packets, resulting in failovers
and OSPF
recalculations, then occasionally sends one out, resulting in another
session
of failovers and routing convergences.

Then, after 10-30 minutes, suddenly all returns to normal (80% idle),
nothing
in the logs except for the OSPF messages from ipsrd.

On one occasion I managed to get a "ps auxw" through, and it showed
monitord
using 10% cpu and fwd using 8% cpu, all other processes were using below

0.1%. But I assume this only showed userspace processes.


From all  that I see, it's the kernel using all resources, or a hardware


fault.

Now: is anyone aware of a tool or method to get more information about
what is
causing this load? Has anyone heard of an attack that might cause these
symptoms? Can anyone remember a bug in that version of fw-1/ipso that
might
result in this behaviour? Generic observations?

I'd be grateful for any pointer.

thanks
/markus
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  pix log analyser ?, FM
Next by Date:  PIX 525 : pb with new TCP connections, gilles delobel
Previous by Thread:  RE: debug checkpoint fw-1 on nokia ipso, Andrew Shore
Next by Thread:  Bastion Host Vs. DMZ, Pablo Gietz
Indexes:  [Date] [Thread] [Top] [All Lists]