Hiya, Have been spending some time lately trying to understand exactly how the connections table and the old_connections table work in fw1.
So far my understanding is that even though the connections table is flushed when you push a policy, the old_connections table should maintain the connection (the paper seems to say this as well). I was once experiencing session timouts with Telnet and Checkpoint suggested using the "tcpestb_grace_period (XX)" parameter in objects.C before increasing the TCP session timeout parameter. I didn't end up using it so didn't get to test but may be of use if the connection is not in either the old or new connections table after -----Original Message----- From: Torkel Mathisen [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 11:59 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Citrix drops connection when we install rulebase Hi I've read this paper, but I didn't think the users would actually loose the connection. I know that FW-1 clears the connectiontable and all that, but it also build it up again when the session continues. >From the paper: "When you push a new rulebase the state table is cleared. However, you will not lose any of your established connections while pushing a new rulebase." A bit futher down: "... Firewall-1 maintains state of what connection were active prior to the new rule push. This old state table is maintained as old_connections." We don't have this problems with other protocols. Its just Citrix. They actually loose the connection. When we use Windows terminal client we don't get disconnected. I would guess the firewall builds the connections up again and that this is transparent for the users. With Citrix this doesn't happen. Its very frustrating for our users when they are working with something and suddenly have to reconnect. And possibly even get connected to a different server than before and loose their work. The sollution you refer to is clicking on "Fast Mode" for ICA (tcp 1494)? What about icabrowser (udp 1494)? Regards, Torkel > -----Original Message----- > From: Lars Troen [mailto:[EMAIL PROTECTED]] > Sent: 7. oktober 2002 15:20 > To: [EMAIL PROTECTED] > Subject: Re: [FW-1] Citrix drops connection when we install rulebase > > > Torkel, > http://www.enteract.com/~lspitz/fwtable.html > > This is a nice paper describing what's going on. The state > table is flushed when you install a policy, but if you read > further you can see there's still hope. :) > > Lars > > > > > -----Original Message----- > > From: Torkel Mathisen [mailto:[EMAIL PROTECTED]] > > Sent: Monday, October 07, 2002 14:18 > > To: [EMAIL PROTECTED] > > Subject: [FW-1] Citrix drops connection when we install rulebase > > > > > > We have a problem here with Citrix being dropped when we install > > the rulebase. > > > > The users have Citrix clients up at all time, but whenever we > > install the rulebase on the firewall the connection is dropped > > and they have to connect again. > > > > Anyone have any experience with this? > > > > We haven't done anything special in the firewall. Only a rule that > > accept Citrix (1604 and 1494). > > > > Regards, > > Torkel > > > > ================================================= > > To set vacation, Out Of Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ********************************************************************** CONFIDENTIAL COMMUNICATION This e-mail and any files transmitted with it is intended solely for the use of the individual or entity to whom it is addressed. If you are not the intended recipient, or the person responsible for delivering the e-mail to the intended recipient, please immediately notify the sender by e-mail and delete the original transmission and its contents. Any use, dissemination, forwarding, printing, or copying of this e-mail and any file attachments is prohibited. ********************************************************************** ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
