HPE Community
Operating System - HP-UX
1827283 Members
3441 Online
109717 Solutions
New Discussion

Re: HP-UX 10.20 strong ES model

 
SOLVED
Go to solution
Brian McEntire
Frequent Advisor

‎04-02-2003 07:25 PM

‎04-02-2003 07:25 PM

HP-UX 10.20 strong ES model

Hello,
Is there a way to set HP-UX 10.20 to us a strong ES model?

Currently, it must be using a weak ES model. I have a dual homed J5000. We recently implemented a stateful firewall, and since then, I cannot telnet to the interface on the J5000 that is inside the firewall (even though the firewall passes the traffic). The problem for the connection is like this:

external host sends Syn to J5000

J5000 sends Syn-Ack to external host BUT IT GOES OUT A DIFFERENT INTERFACE card that so the firewall doesn't recognize what happens next

external host sends ack (3rd part of handshake) back to J5000's interface behind the f/w...

** firewall say syn, didn't see syn-ack, so firewall drops ack because it is still waiting to see syn-ack from J5000.

I need a way to enable the strong ES model on the HP-UX 10.20 server. The response traffic has to be forced to leave the same interface it came in on.

Can this be done?

Thanks!
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎04-02-2003 08:03 PM

‎04-02-2003 08:03 PM

Re: HP-UX 10.20 strong ES model

Suggestion:

J5000 sends Syn-Ack to external host BUT IT GOES OUT A DIFFERENT INTERFACE card that so the firewall doesn't recognize what happens next

Configure the J5000 so that its primary interface is the card the firewall expects the traffic from.

Problem solved?

I'm not a 10.20 expert but I know you can pick a primary interface on 11.X

Perhaps this could be done with static routing on the J5000 so the traffic goes out the Interface the firewall needs it to go out.

I know its not the answer you were looking for, but I think this suggestion can work.

We're using a stateless firewall, but all my HP-UX boxes are on the same side of it.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Brian McEntire
Frequent Advisor

‎04-02-2003 08:34 PM

‎04-02-2003 08:34 PM

Re: HP-UX 10.20 strong ES model

Thanks for the idea. I tried that already. It doesn't work in our case because then the flip side breaks...

host inside tries to telnet to outside interface, f/w sees syn, client sees syn-ack (but f/w doesn't), so client replies with ack but f/w drops it because thinks state isn't right.

we have a reason to make this work, so it's not as simple as just removing one interface. we really need the strong ES capability.
0 Kudos
Reply
Berlene Herren
Honored Contributor

‎04-03-2003 10:15 AM

‎04-03-2003 10:15 AM

Solution

Re: HP-UX 10.20 strong ES model

Sorry Brian, it just is not in the 10.20 stack. The strong ES model tunable available from 11.0 and up.
Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
Reply
Brian McEntire
Frequent Advisor

‎04-03-2003 01:30 PM

‎04-03-2003 01:30 PM

Re: HP-UX 10.20 strong ES model

Hrmm.... not the answer I wanted to here, but a very definitive answer. Thank you!
0 Kudos
Reply
rick jones
Honored Contributor

‎04-04-2003 10:52 AM

‎04-04-2003 10:52 AM

Re: HP-UX 10.20 strong ES model

Berlene is correct, there is no support for strong ES in 10.20.

The best thing is indeed to upgrade to something like 11i if you can.

If you cannot, you might try adding specific static routes for either specific remote hosts, or specific (sub)nets, that point-out the interface with the firewall.
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.