> as for why they are getting blocked: > dont modulate state, keep state on the https > this works for me
jack the timeouts up (use the conservative optimization level). IIS and IE do some funky shit with how they honor the tcp FIN flag. the default timeouts could drop the connection after 15 minutes of idle time if one endpoint doesn't honor the other endpoints close request (FIN flag). alternatately, you could put a flags S/SA on the 'modulate state' rule and return-rst non S/SA packets. that _should_ work (it may depend on the browser). .mike