Hi!

PLEASE read it carefully before you reply Thank you!

I experienced VERY strange behavior today.
My NG HFA_R55_08 is configured to accept out-of-state TCP packets
(previously I was using user_accept_non_syc() trick to do it for SSH
service only, but the behavior was exactly the same). When the timeout
is reached (I set it to 120 second for testing purposes) and a new TCP
ACK+PUSH packet is sent from connection innitiator to a server in DMZ
firewall logs new connection in logs and responds with an RST packet
to initiator claiming the DMZ server IP address and connection is
dropped on the client side.

I checked it many times with tcpdump. On the DMZ interface NO traffik
is sent!
This is unacceptable behavior as it leaves dead opened connecions on
the DMZ Server. Beside that firewall simply lies as it logs "ACCEPT"
in log entry and sends an RST packet!!!
If the first packet comming after timeout is originated from the
server side nothing is either logged nor passed!
If "Drop out of state TCP packets" is checked the packet is beeing
simply droped.
Neither way I can revert to pre 4.1 SP2 behavior.

--
Mariusz Woloszyn