RE: [FW1] TCP timeout problem with 4.1 SP2

Tue, 29 Aug 2000 18:50:17 -0700 


See if this helps you. Good luck.

http://www.phoneboy.com/fw1/faq/0097.html

-----Original Message-----
From: Jim Nelson
To: [EMAIL PROTECTED]
Sent: 8/29/00 6:17 PM
Subject: [FW1] TCP timeout problem with 4.1 SP2

Hello all,

I have a question that maybe someone can help me with.  After installing
an upgrade Checkpoint Firewall-1, I have been getting errors in the
Checkpoint logs, "unknown established TCP packet". This is happening
between a web-server and database that are separated by a Checkpoint
firewall 4.1 SP2 cluster. The clustering software is RainWall.
 
There is a DB client running on the web-server that initiates 20
(something) TCP connections to the DB-server. These connections are
timing out between uses, causing the error above. Consequently, the
DB-server cannot send important information to the web-server, creating
an error. This is not a routing issue, because the TCP session is being
created and dropped on the same firewall (one member of the cluster).
 
The "TCP Session Timeout," under Policy/Properties, was modified to 24
hours (86400 seconds), the maximum time allow. However, as I found out
later, this only seemed to exacerbate the problem. After looking at the
logs the timeout went from 2 hours to under 5 minutes. 
 
Because of the urgency of this problem, it was decided to pull the
upgraded firewall (4.1 SP2) cluster out of production and put the
Checkpoint 4.0 firewall back.
 
Looking on the knowledge base, I found a solution for "How to change the
TCP session timeout for closing connections on FireWall-1". It talks
about modifying the object.C file, and adding the a line for
tcpendtimeout; however, it does not give any recommendation of a range
of values for this configuration or how it interacts with the tcptimeout
configuration (see object.C file).
 
Does any one know what would be a good configuration for both the
tcpendtimeout and the "TCP Session Timeout" (i.e., tcptimeout)?
 
Thanks



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to