Thanks Hugo! You're my hero! Problem solved like this: echo fwtcpstr_max_window=65536 > $FWDIR/boot/modules/fwkern.conf fw ctl set int fwtcpstr_max_window 65536
Lars -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Hugo van der Kooij Sent: Friday, July 04, 2008 10:56 AM To: [email protected] Subject: Re: [FW-1] http file uploads -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lars Troen wrote: | Hi! | I'm trying to troubleshoot http file uploads and I'm getting no drop messages in SmartView Tracker. | | By using fw ctl zdebug drop I get the following messages: | fw_log_drop: Packet proto=6 10.174.63.189:62308 -> 10.174.18.154:80 dropped by fw_conn_inspect Reason: TCP streaming drop/reject | fw_log_drop: Packet proto=6 10.174.63.189:62308 -> 10.174.18.154:80 dropped by fw_conn_inspect Reason: TCP streaming drop/reject | fw_log_drop: Packet proto=6 10.174.63.189:62308 -> 10.174.18.154:80 dropped by fw_conn_inspect Reason: TCP streaming drop/reject | fw_log_drop: Packet proto=6 10.174.63.189:62308 -> 10.174.18.154:80 dropped by fw_conn_inspect Reason: TCP streaming drop/reject | fw_log_drop: Packet proto=6 10.174.63.189:62308 -> 10.174.18.154:80 dropped by fw_conn_inspect Reason: TCP streaming drop/reject | fw_log_drop: Packet proto=6 10.174.63.189:62308 -> 10.174.18.154:80 dropped by fw_conn_inspect Reason: TCP streaming drop/reject | | .63.189 is the client, .18.154 is the server | | Any ideas on what can I do to solve this? Do a fw monitor on the specific traffic. Everytime I have seen this it has to do with servers that can not keep up with the client. So in the end you run out of your window. With selective acknowledgements it gets a lot worse. There is a SK that will tell you how to increase the windowsize that Check Point will support. Setting it to the max instead of the default 32k did solve most of the http upload problems. Hugo. - -- [EMAIL PROTECTED] http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIbeWoBvzDRVjxmYERAtCOAJsG1Ibmfa+6TuunTplQwI9NJb0gXwCgrm2R uQJjN/qhoq9a3ePPvoNeHHQ= =s53g -----END PGP SIGNATURE----- Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
