What clients are they using? Is there the opportunity to script a heartbeat into the
client? You really don't want to extend timeouts much. (Better explanations precede.)
I'd look for that sort of solution. In VanDyke's secure crt, you can script fairly
extensively. I know that it's not the best solution.
The other possibility is that you could draw a vpn connection? Can you vpn to the
other machines?
Cheers,
Craig Skelton
/*
______ _ _
(____ \ (_) | |
____) ) ____ _ _ | | ____ ____ ___ ____ ___ ____
| __ ( / ___) |/ || |/ _ |/ _ )/___)/ ___) _ \| \
| |__) ) | | ( (_| ( ( | ( (/ /|___ ( (__| |_| | | | |
|______/|_| |_|\____|\_|| |\____|___(_)____)___/|_|_|_|
(_____|
*/
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
Robert MacDonald
Sent: August 18, 2000 6:21 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [FW1] TCP Session Timeout
Good catch Barry. Forgot about this one.
>>> "Barry W. Kokotailo" <[EMAIL PROTECTED]> 8/17/00 5:49:24 PM >>>
>My opnion on that is that the state table has a limited number of connections. If CP
>allowed any tcp connection
>to stay resident in the state table for a long period of time, eventually, memory
>would be exhausted and no further
>connections would be possible to the firewall.
>
>Thinking on this line, it probably is possible to max out the state table, and place
>the site in a DoS state.
>
>Comments from the group of Checkpoint?
>
>merlin
>
>Robert MacDonald wrote:
>
>> Barry,
>>
>> Figuring that CP is in the security related field,
>> it's probably for security reasons. Why should
>> a connection be left open, if nothing is going on?
>>
>> Robert
>>
>> >>> "Barry W. Kokotailo" <[EMAIL PROTECTED]> 8/17/00 1:33:41 PM >>>
>> >Well that is a good point. According to my working on the problem, there
>> >is a paramater called tcp keepalive. Unfortunately it has to be built within the
>> >client
<snip>
>> >> >Doug Schmidt wrote:
>> >> >
>> >> >> Hi,
>> >> >> I have called CP Support and also searched the Phonyboy FAQ's, but nothing.
>> >> >> CP Support told me to increase the TCP Session Timeout. Which has a max
>> >> >> setting of 6500 seconds ( ~2 hours) which is not long enough for our needs.
>> >> >>
>> >> >> We have our user LAN behind the FW. Some of our developers on this LAN, need
>> >> >> to have telnet/ssh connections
>> >> >> to some servers (outside the FW), While these connections are open, they run
>> >> >> some jobs, which can last anywhere
>> >> >> from minutes to many hours. In the case of a job lasting say 4-5 hours, this
>> >> >> would not be long enough, since the FW
>> >> >> will drop the TCP Session when it is not active.
>> >> >>
>> >> >> Is/are there any workarounds fixes to this problem? Any advise would be
>> >> >> great.
>> >> >>
>> >> >> Firewall Version 4.1 Build 41489 running on Slowaris 2.7
>> >> >>
>> >> >> ~D
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
