-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miguel Hernandez y Lopez wrote: | Hi, one of my clients have a FW1 R62 on IPSO 4 with SecureXL, they´re using an internal software running on port 1527 (TCP) with a oracle db. The problem we have is that after 10 or 15 minutes the connection is lost, with a message: "TCP packet out of state: First packet isn´t SYN tcp_flags: PUSH-ACK" and the action of the fw is DROP. | | The first thing we made was increment the Session Timeout in the TCP Services Properties of the 1527 port to 10800 seconds, but the problem continue, about the severity of the problem because the people can´t work if the application is offline, the temp solution we made was disable the "Drop out of state TCP packets" in the Global Properties of Stateful Inspection but i don´t want to be like this because it´s a security risk disable this option. | | Is there any chance the about traffic of the port 1527 pass without it being filtered across the SecureXL?
If an out-of-state packet happens during normal traffic you usually have a network problem or application problem. The way to go forward is to use fw monitor to see what happens exactly. If it happens on connections that go idle for a long time then the simple thing to do is lower the TCP keep alive timer on the database server. In my experience with Oracle it is usually the best way to keep connections alive on firewalls. I recommend lowering it to 900 seconds. Hugo. - -- [EMAIL PROTECTED] http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIUMM3BvzDRVjxmYERAs5/AKCtHNN71LzRi4fCwEfZQ+VIZZD5vACgm715 FgP31T6EzC0WTOfyVDg9R24= =f+aI -----END PGP SIGNATURE----- Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
