[FW1] tcp session timeout

Wed, 24 Jan 2001 17:57:13 -0800 


I've got a problem with what I think is a TCP session timeout between two servers on 
either side of a Checkpoint Firewall.  Here's the scenario:
Checkpoint FW-1 SP3.  Web server on one side of the firewall, an oracle database on 
the other side using Net8.  Have a rule allowing the web server to contact the oracle 
server via sqlnet2 service.  The web server contacts the oracle server via sqlnet2 
service, according to the logs, but then establishes multiple  TCP sessions with it 
using higher-level ports such as 1390, for example.  These previously established 
sessions are used whenever data is needed.

Here's the problem:  
Occasionally, when accessing a link on the web server that requires the web server to 
pull data out of the oracle database, it will fail.  The firewall logs will indicate 
"Reason: unknown established TCP packet", telling me that the FW-1 thinks that this is 
not an established TCP session in it's tables.  Using a sniffer confirms that the 
packets are being sent to a particular destination port on an already established 
session, but are not passing the firewall.  Using "fw tab" on FW-1 I can see that 
indeed, the TCP session is no longer in its tables.  

When things are working correctly, the packets are going through FW-1 and the TCP 
session can be found in its tables.  Usually when the problem occurs, most ports are 
working fine, but one particular port is not.  So, my frustration is figuring out why 
these sessions appear to be timing out seemingly at random.  

I've also uncommented the line in lib/fwui_head.def to undo the change that SP2 made 
to how TCP SYN packets and installed the policy.  This did not appear to help any.  
We've also tried the oracle server outside the firewall so the firewall is out of the 
picture, and cannot recreate the problem, cementing my opinion that there is 
definitely a problem with the firewall.

Has anybody else experienced this problem?  Any ideas?

Thanks.
Quentin  



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to