Hi,
depending on the OS FW-1 is running on it is possible to set this timeout to
be the same as given in the firewall properties.
I should have somewhere a note on how to do that on solaris.
However you also could change the tcp keepalive values of the servers/
clients which are trying to connect using the firewall.
Josef
> -----Original Message-----
> From: Felicetti, Stephen A. [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, May 25, 2001 3:15 PM
> To: 'Hartmann, Josef'; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Subject: RE: [FW1] Unknown established TCP packet
>
> ....and it's that 60s that I can't get an answer out of anyone (my support
> people) on how to increase it.
> I had connections drop for only a few applications, and the only thing I
> can
> attribute it to is this initial, short timeout.
>
> BTW, the fix on phoneboy did 'bandaid' the problem.
>
> -----Original Message-----
> From: Hartmann, Josef [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 24, 2001 3:16 PM
> To: [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Subject: RE: [FW1] Unknown established TCP packet
>
>
>
> Hi,
>
> TCP keep alive packets reset the timer. So if TCP keep alive timers of
> servers/clients communicaating through the firewall are set to lesser than
> the firewall's timeout, a connection shouldn't timeout.
>
> Regarding your log you should rather provide us with the network traces
> itself AND the firewall log.
>
> If you go for reading Lance' paper more exactly you will recongnize that
> there's another timeout (60s) since 4.1SP2 or SP3 after the SYN, SYN/ACK,
> ACK.
>
>
> Josef
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [SMTP:[EMAIL PROTECTED]]
> > Sent: Wednesday, May 23, 2001 8:43 AM
> > To: [EMAIL PROTECTED]
> > Subject: [FW1] Unknown established TCP packet
> >
> >
> > Hello,
> >
> > I have had problems with this new feature on FW-1 4.1 SP3 (Linux).
> > As far as I have learnt from Lance Spitzner, Phoneboy and this list
> > it is supposed to drop non-syn packets that are not an established
> > connection as far as the firewall is concerned (part state table).
> >
> > This causes some problems. Client/Server applications using database
> > platforms like Oracle will have to reconnect, but will not work after
> > reconnection
> > properly because of cursors (pointers).
> >
> > Is it possible or recommendable to increase the TCP timeout beyond TCP
> > keepalive. And is TCP keepalive among the packets that will reset the
> > timeout timer of the state tables? Unless I do so I will have to disable
> > Checkpoints new feature.
> >
> > Also, there seem to be bugs in the implementation of this feature, at
> > least
> >
> > as far as the Linux version is concerned.
> >
> > Just look at this log export:
> >
> > "11435" "21May2001" "13:36:45" "eth2" "localhost" "log" "accept"
> > "924"
> > "nille.abcde.xy" "ulysses.abcde.xy" "tcp" "3" "930" "" "" "" ""
> > ""
> > "" "" "" "" "firewall" " len 48"
> >
> > The line says that TCP port 924 source port 930 is accepted. Then less
> > than
> > three minutes later:
> >
> > "11532" "21May2001" "13:39:01" "eth2" "localhost" "log" "drop"
> > "924"
> > "nille.abcde.xy" "ulysses.abcde.xy" "tcp" "0" "930" "" "" "" ""
> > ""
> > "" "" "" "" "firewall" " reason: unknown established TCP packet"
> >
> > Packet with same TCP port and source port is dropped due to the "fact"
> > that
> >
> > is is not part of an established connection. I cannot see what I have
> done
> > to make this happen. To me it looks like nothing less than a bug.
> >
> >
> > Gandalf.
> >
> >
> > _______________________________________________________________________
> > Get your free @pakistanmail.com email address http://pakistanmail.com
> >
> >
> >
> ==========================================================================
> > ======
> > To unsubscribe from this mailing list, please see the instructions
> at
> > http://www.checkpoint.com/services/mailing.html
> >
> ==========================================================================
> > ======
>
>
> ==========================================================================
> ==
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ==
> ====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
