[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] tcp session timeout
Hi Quentin. We had the same problem and the session drop after 1 hour. Yes the policy properteries has an entry tcp sesion timeout 3600 sec. What we did was a change in the init.def file as follows: #define ADD_TCP_TIMEOUT(port,to) (record <port;to> in tcp_timeouts) ( <0> in tcp_timeouts ) or ( ADD_TCP_TIMEOUT(21,FTP_CONTROL_TIMEOUT), ADD_TCP_TIMEOUT(1521,28800), **** add this line and the timeout will be 8 hours instead ADD_TCP_TIMEOUT(0,0) ); #endif /* __init_def__ */ The init.def file is located in $FWDIR/lib/ This is the only way to change the tcp timeout for a specific port. I hope this help. Regards Johan ----- Original Message ----- From: "Quentin Antrim" <[email protected]> To: <[email protected]> Sent: Wednesday, January 24, 2001 10:59 PM Subject: [FW1] tcp session timeout > > I've got a problem with what I think is a TCP session timeout between two servers on either side of a Checkpoint Firewall. Here's the scenario: > Checkpoint FW-1 SP3. Web server on one side of the firewall, an oracle database on the other side using Net8. Have a rule allowing the web server to contact the oracle server via sqlnet2 service. The web server contacts the oracle server via sqlnet2 service, according to the logs, but then establishes multiple TCP sessions with it using higher-level ports such as 1390, for example. These previously established sessions are used whenever data is needed. > > Here's the problem: > Occasionally, when accessing a link on the web server that requires the web server to pull data out of the oracle database, it will fail. The firewall logs will indicate "Reason: unknown established TCP packet", telling me that the FW-1 thinks that this is not an established TCP session in it's tables. Using a sniffer confirms that the packets are being sent to a particular destination port on an already established session, but are not passing the firewall. Using "fw tab" on FW-1 I can see that indeed, the TCP session is no longer in its tables. > > When things are working correctly, the packets are going through FW-1 and the TCP session can be found in its tables. Usually when the problem occurs, most ports are working fine, but one particular port is not. So, my frustration is figuring out why these sessions appear to be timing out seemingly at random. > > I've also uncommented the line in lib/fwui_head.def to undo the change that SP2 made to how TCP SYN packets and installed the policy. This did not appear to help any. We've also tried the oracle server outside the firewall so the firewall is out of the picture, and cannot recreate the problem, cementing my opinion that there is definitely a problem with the firewall. > > Has anybody else experienced this problem? Any ideas? > > Thanks. > Quentin > > > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|