Thanks, I haven't tried it yet but I'll try it over this weekend. Just wonder if there any security threat as a result of keeping all connections? Should I adjust memory assigned to connection tables in this case? Should I decrease TCP timepout in properties of the policy?(I changed it from default to 900 regardles , but should I decrease it further in this case?) Thanks. ----- Original Message ----- From: <[EMAIL PROTECTED]> To: "Ben Nagy" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; "'N. Endgirgli'" <[EMAIL PROTECTED]> Sent: Monday, October 15, 2001 10:35 AM Subject: RE: Citrix client disconnections
> > If you add the "keep" option to table.def, it will not flush the table > on policy install. Here is what the section should look like. > > connections = dynamic refresh sync expires TCP_START_TIMEOUT > expcall KFUNC_CONN_EXPIRE kbuf 1 > > #ifdef SECUREMOTE > implies userc_verified_connections > #else > implies ftp_restrictions > #endif > hashsize 32768 limit 25000 keep; > > > Notice the "keep" option on the hashsize line. I successfully used > this to keep our VPN Citrix sessions from being dropped during a policy > install. > > > Scott > > > > |--------+------------------------------> > | | "Ben Nagy" | > | | <[EMAIL PROTECTED]> | > | | Sent by: | > | | firewalls-admin@list| > | | s.gnac.net | > | | | > | | | > | | 10/12/2001 08:11 PM | > | | | > |--------+------------------------------> > >--------------------------------------------------------------------------- ---------------------------------------------| > | | > | To: "'N. Endgirgli'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> | > | cc: | > | Subject: RE: Citrix client disconnections | > >--------------------------------------------------------------------------- ---------------------------------------------| > > > > > AFAIK there is nothing that will fix that. Installing a new policy > flushes all the sessions. If it didn't it would be a bug - you could > have a situation where there was traffic still flowing through the > firewall that was agaist the current policy. > > Cheers, > > -- > Ben Nagy > Security Guy > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of N. Endgirgli > > Sent: Saturday, October 13, 2001 5:13 AM > > To: Jay Wehring; [EMAIL PROTECTED] > > Subject: Re: Citrix client disconnections > > > > > > Clients are not disconnected after inactivity period of time. > > THEY ARE DISCONNECTED WHEN I INSTALL POLICY IN THE FIREWALL. > > So I just wonder if there is anyting that can fix that (CP > > solution I mentioned in earlier doesn't work) > [...] > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
