Robert,
Some products out there are simply designed that way (open but no traffic
for long periods of time). We use an Internet-based service where traffic
distribution is very wide, but where the session setup time can take 3-4
minutes due to really bad code on their end (which they won't change). It
would be nice to have granularity of session timeout values on a per-port
basis.
Regards,
--- Gavin
-----Original Message-----
From: Robert MacDonald [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 17, 2000 15:56
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [FW1] TCP Session Timeout
Barry,
Figuring that CP is in the security related field,
it's probably for security reasons. Why should
a connection be left open, if nothing is going on?
Robert
>>> "Barry W. Kokotailo" <[EMAIL PROTECTED]> 8/17/00 1:33:41 PM >>>
>Well that is a good point. According to my working on the problem, there
>is a paramater called tcp keepalive. Unfortunately it has to be built
within the
>client
>application. Noticed some threads about and Microsoft has some definitions
in
>his Knowledge Base.
>
>The thing that is interesting is why Checkpoint limits the tcp idle time to
7200
>seconds.
>Any suggestions from the group?
>
>merlin
>
>Robert MacDonald wrote:
>
>> This seems awful expensive. Why spend big
>> $$(again) for a problem that can be fixed by
>> having the programmers fix the programs that
>> are running. Anything from a simple NOHUP
>> to actually spending 15 minutes to correct
>> the program to send all output to a file, email
>> or printer for analysis.
>>
>> Heck, why not just cron a ping or something.
>>
>> Robert
>>
>> - -
>> Robert P. MacDonald, Network Engineer
>> e-Business Infrastructure
>> G o r d o n F o o d S e r v i c e
>> Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>
>> >>> "Barry W. Kokotailo" <[EMAIL PROTECTED]> 8/16/00 7:27:46 PM >>>
>> >I have come across this same situation. As far as my experience,
research, and
>> >asking of this group
>> >is concerned, the answer is "no".
>> >
>> >My suggestion would be to look into Nortel Extranet Contivity Switch
products.
>> >Features:
>> >
>> >IPsec
>> >PPTP
>> >Time outs of 23 hours 59 minutes.
>> >Ability of users to change their own passphrases.
>> >Password aging.
>> >Authentication:
>> > User base
>> > Using pass phrases of at least 16 chars.
>> > Radius
>> > Entrust Certificates
>> > Ldap
>> >
>> >Secure Remote as a product is a nice freebie from Checkpoint, but it has
some
>> >severe limitations, one of them
>> >being this tcp time out issue.
>> >
>> >Hope this helps.
>> >
>> >merlin
>> >
>> >Doug Schmidt wrote:
>> >
>> >> Hi,
>> >> I have called CP Support and also searched the Phonyboy FAQ's, but
nothing.
>> >> CP Support told me to increase the TCP Session Timeout. Which has a
max
>> >> setting of 6500 seconds ( ~2 hours) which is not long enough for our
needs.
>> >>
>> >> We have our user LAN behind the FW. Some of our developers on this
LAN, need
>> >> to have telnet/ssh connections
>> >> to some servers (outside the FW), While these connections are open,
they run
>> >> some jobs, which can last anywhere
>> >> from minutes to many hours. In the case of a job lasting say 4-5
hours, this
>> >> would not be long enough, since the FW
>> >> will drop the TCP Session when it is not active.
>> >>
>> >> Is/are there any workarounds fixes to this problem? Any advise would
be
>> >> great.
>> >>
>> >> Firewall Version 4.1 Build 41489 running on Slowaris 2.7
>> >>
>> >> ~D
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
