[FW1] TCP timeout problem with 4.1 SP2

[Jim Nelson]

Hello all, I have a question that maybe someone can help me with.  After installing an upgrade Checkpoint Firewall-1, I have been getting errors in the Checkpoint logs, "unknown established TCP packet". This is happening between a web-server and database that are separated by a Checkpoint firewall 4.1 SP2 cluster. The clustering software is RainWall.   There is a DB client running on the web-server that initiates 20 (something) TCP connections to the DB-server. These connections are timing out between uses, causing the error above. Consequently, the DB-server cannot send important information to the web-server, creating an error. This is not a routing issue, because the TCP session is being created and dropped on the same firewall (one member of the cluster).   The "TCP Session Timeout," under Policy/Properties, was modified to 24 hours (86400 seconds), the maximum time allow. However, as I found out later, this only seemed to exacerbate the problem. After looking at the logs the timeout went from 2 hours to under 5 minutes.   Because of the urgency of this problem, it was decided to pull the upgraded firewall (4.1 SP2) cluster out of production and put the Checkpoint 4.0 firewall back.   Looking on the knowledge base, I found a solution for "How to change the TCP session timeout for closing connections on FireWall-1". It talks about modifying the object.C file, and adding the a line for tcpendtimeout; however, it does not give any recommendation of a range of values for this configuration or how it interacts with the tcptimeout configuration (see object.C file).   Does any one know what would be a good configuration for both the tcpendtimeout and the "TCP Session Timeout" (i.e., tcptimeout)?   Thanks