-----Richard Sims wrote: ----- >One approach would be to have a background Linux 'ping' command with >a reasonable repeat interval to try to keep the connection alive >between the two servers.
The Linux 'ping' command uses ICMP rather than TCP layered on top of IP. There is no way an ICMP packet could affect the firewall's tracking of activity on TCP connections. >Another approach is to have two TSM server admin schedules running, >30 minutes apart, to issue PING SERVER across the two. As far as I know, a TSM server executing a PING SERVER command opens a new TCP connection, carries out some kind of data exchange to convince itself that the other server is still there, and closes the TCP connection. If this understanding is correct, the PING SERVER command does not trigger any activity on the pre-existing TCP connection that is at risk of a firewall timeout. >Ideally, you could have the firewall administrator disable timeouts. There is no way it would be possible to disable timeouts completely. This would cause the firewall's memory to fill up with state information for TCP connections whose endpoints had long ago lost interest in the connections. We may end up asking to have the timeout lengthened, but we are not optimistic about getting that done. Such a request would probably be characterized as a request to weaken security. Around here that characterization has developed a remarkable power to shut down the part of people's brains used for real thought about costs and benefits.
