Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Connection table question

To: [email protected]
Subject: Re: [FW-1] Connection table question
From: Markus Hofbauer <[email protected]>
Date: Wed, 24 Apr 2002 01:02:24 +0200
In-reply-to: <DE5D35643522D411B7C10008C791D52202409D0D@bdmb_5003.adm.me. org>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

david,

the problem is that checkpoint (>4.1sp2) raises an initial tcp timeout
of 60s after syn,syn/ack,ack. When there's one packet more on the wire
this timeout is set to 3600s.

i've seen this problem with legato networker.

choices:

- not recommended: change the way fw-1 handles tcp handshake to the old
style (hint: unknown established tcp packet). this affects all connections
and moreover it's not stateful inspection!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- change the tcp keep alive timer (if you can configure your software) of
the server or client to less than 60s.
3. change objects.C or set an fw-1 kernel parameter in order to increase the
tcp_initial_timeout.

hope this helps,
markus

At 16:28 22.04.2002 -0400, you wrote:
>I have a situation that occurs where a valid connection gets dropped due to no traffic after session setup. The client sends the SYN to the server. The server replies with SYN-ACK. The client sends back ACK. At this point I would expect FW-1 to insert the session in the connection table and set the timeout to 3600. However what I see is that the connection is set to 60 seconds. It will only get set to 3600 if the server sends the client data before the 60 seconds are up (which is not usually the case). So it looks like FW-1 requires SYN, SYN-ACK, ACK, DATA rather than SYN, SYN-ACK, ACK as indicated in just about every document that I have read. Has anyone else seen this? This is a major problem for our application. Any suggestions would be greatly appreciated.
>
>David Wilson
>Télécommunications et Téléphonie
>Montréal Exchange
>ext 355
><mailto:[email protected]>[email protected]
>

-------------------------------------------------------------------
Markus Hofbauer                                          IT-Service
phone : +43 (1) 60 126-34                       Internet & Security
fax : +43 (1) 60 126-4                      Bacher Systems EDV GmbH
mail: [email protected]                               Wienerbergstr. 11B
www : http://www.bacher.at/            A-1101 Wien, Austria, Europe

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] SecurRemote- Strange behavior, sessions hang
Next by Date: Re: [FW-1] Nokia ACL trouble !
Previous by thread: [FW-1] Connection table question
Next by thread: [FW-1] fw-1 dbimport problem
Index(es):
- Date
- Thread