david, the problem is that checkpoint (>4.1sp2) raises an initial tcp timeout of 60s after syn,syn/ack,ack. When there's one packet more on the wire this timeout is set to 3600s.
i've seen this problem with legato networker. choices: - not recommended: change the way fw-1 handles tcp handshake to the old style (hint: unknown established tcp packet). this affects all connections and moreover it's not stateful inspection!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - change the tcp keep alive timer (if you can configure your software) of the server or client to less than 60s. 3. change objects.C or set an fw-1 kernel parameter in order to increase the tcp_initial_timeout. hope this helps, markus At 16:28 22.04.2002 -0400, you wrote: >I have a situation that occurs where a valid connection gets dropped due to no >traffic after session setup. The client sends the SYN to the server. The server >replies with SYN-ACK. The client sends back ACK. At this point I would expect FW-1 to >insert the session in the connection table and set the timeout to 3600. However what >I see is that the connection is set to 60 seconds. It will only get set to 3600 if >the server sends the client data before the 60 seconds are up (which is not usually >the case). So it looks like FW-1 requires SYN, SYN-ACK, ACK, DATA rather than SYN, >SYN-ACK, ACK as indicated in just about every document that I have read. Has anyone >else seen this? This is a major problem for our application. Any suggestions would be >greatly appreciated. > >David Wilson >T�l�communications et T�l�phonie >Montr�al Exchange >(514)871-2424 ext 355 ><mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED] > ------------------------------------------------------------------- Markus Hofbauer IT-Service phone : +43 (1) 60 126-34 Internet & Security fax : +43 (1) 60 126-4 Bacher Systems EDV GmbH mail: [EMAIL PROTECTED] Wienerbergstr. 11B www : http://www.bacher.at/ A-1101 Wien, Austria, Europe ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
