I have a case open on this scenario with Checkpoint, but we're not making progress. I'm wondering if there is anyone who's had to deal with this before:
FW1 NG AI R55 FHA_08 and FHA_09 SPLAT 3000+ active users behind gateway x335 w/ 4x1000FDX NICs continuously < 50% cpu continuously < 4000 active connections continuously < 400 new connections continuously 0% swap used In other words, the box is pretty happy. There are various resources on the NET that are inaccessible until after a user issues a ping to the desintaion: http://www.cnn.com http://gmail.com http://gmail.google.com https://osc-amer.sun.com (support site--have to issue a continuous ping in the background to keep the connection alive so that we don't loose our details as we fill in the cases) http://portfolio.moody.edu (on our own DMZ!!!!) http://www.checkpoint.com AOL IM on 5190, 25544, 110, etc.... If a user finds that they have difficulty accessing a site (some of these are persistent enough to where there is no question they won't be able to access it!), they issue a ping, and voila! the page loads right up! Network stats: We mirrored the traffic on the firewall's internal NIC and found that the requests were reaching the port on the switch We ran 'fw monitor' on the FW1 box, and lo and behold, NOTHING showed up until AFTER the ping was issued. In other words, it appears there is something between the physical interface on the switch and the FW1 that causes the packet never to be seen by the FW1 module. In short: 1. user opens a web site that is not loading 2. the switch sees the SYN packets and forwards them to the FW1 port 3. the FW1 does not see the traffic 4. the user issues a ping 5. the switch forwards the ping to the FW1 port 6. the FW1 sees the ping, and says, 'Oh! I guess we should be listening to this traffic?' 7. the page suddenly loads and we see SYN/ACK/F/P, etc., as per normal So, for many sites/protocols (tcp only) we are finding that unless we teach the firewall that it is supposed to see the traffic by issuing pings, we don't get there. Any ideas? ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
