[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] incorrect reply from server (seq or subject mismatch)
I know exactly what you mean man. Yeah what I meant was only keep the last 3 policies in the GUI itself for any one firewall. You know how when you click "File->Open" in the Policy editor, and you get a big list of all the policies the management station recognises? Well what I was suggesting was that you only keep the last 3 policies for any single firewall (or group of firewalls if you use common policies across multiple firewalls, like in HA environments), to cut down the size of the .fws file that I suspect is transferred when you try to save the policy/objects during a policy push. You can go through that big list in the GUI and "delete" the policies you don't need - they'll still be stored on the management station, so don't worry - all that you are doing is removing the policy from the .fws file, making it smaller and circumventing the GUI timeout problem. If you find later on that you need to get the management station to re-recognise any of the "deleted" policies, just drop to a command shell and type "fw fwm -g policy.W" (this is for NT - I believe unix systems require "fwm -g policy.W" instead) to force the management station to reapply that policy to the .fws file. I'm running several firewalls with over 120 rules with no problems at all now - when the total size of the .fws grows too large and you can't trim it any further, you can use the horrible workaround (let's face it, Checkpoint should just FIX the problem) of waiting till the timeout error message appears, waiting till the transfer finishes in the background, only then OKing the error to allow the rest of the transfer to succeed. Hope this helps, Scott. P.S - hope you don't mind me copying the list on this - just in case anyone else thought my last email wasn't clear enough as well. -============================- Scott McMeekin (x25086) Senior Technical Analyst IT Telecoms The Royal Bank of Scotland Phone: +44(0)Email: [email protected] -============================- > -----Original Message----- > From: Jesus Calvo Hernandez [SMTP:[email protected]] > Sent: Tuesday, October 17, 2000 10:43 AM > To: McMeekin, Scott > Subject: Re: [FW1] incorrect reply from server (seq or subject > mismatch) > > > *** Warning : This message originates from the Internet *** > > Hi Scott > > I do not quite understand what you´re telling me about keeping the last > three policies; in fact I keep many more on the same directory as the > current one to be pushed, but the problem always appears and I have to > retry > pushing the policy twice or even more times until I get lucky enough to > install it properly. > > In my case all our firewall modules are either on the same lan or at the > opposite side of a frame relay link, so no link bandwithd problem is to be > considered. Even worst, the problem arises mainly in the firewall module > on > the same lan as the management console ????? I must say that my rulebase > has > got 125 rules, which is a lot, I know, but we have got that number of > connections and any attempt to optimize/reduce it has been vain so far. > > So I might think that the problem arises and increases with the number or > rules on the rulebase. But can it be solved anyhow? > > Thanks for your help in advance and best regards > > Jesus Calvo > > > ----- Original Message ----- > From: "McMeekin, Scott" <[email protected]> > To: "'Jesus Calvo Hernandez'" <[email protected]>; > <[email protected]> > Sent: Tuesday, October 17, 2000 12:57 PM > Subject: RE: [FW1] incorrect reply from server (seq or subject mismatch) > > > This is an interesting one I've been wrestling with for some time. The > management server doesn't store the rulebases seperately (well it does > actually, as .W files, but the firewall software processes these into a > combined .fws file). When the .fws file becomes too large, some kind of > hard > coded limit within the GUI software appears to kick in and you get > timeouts > and the error you mentioned. Sometimes policy pushes from the GUI will > fail > as a result. > > What I've worked out (and to be fair, phoneboy's had a resolution for this > for ages) is that if I keep about the last three policy saves for each > firewall, I have enough copies to be able to back out the last few > changes, > and the problem appears to go away. Having said that, these days I have a > lot more firewalls, and the problem came back (especially when doing > policy > pushes remotely over a modem link). The workaround I use is this: when > pushing a policy and you get a timeout, watch the modem lights - don't OK > the message till the activity has stopped. I believe this gives the GUI > enough time to finish saving the rules/objects etc. When you're happy the > activity has stopped, OK the error dialog and it'll work fine. > > Until Checkpoint get their finger out and fix this it'll continue to > blight > an otherwise superb product. What I can't understand is the fact that this > problem has been in the GUI software for over a year now. *grumble* > > Scott. > > > -----Original Message----- > > From: Jesus Calvo Hernandez [SMTP:[email protected]] > > Sent: Monday, October 16, 2000 7:00 PM > > To: [email protected] > > Subject: [FW1] incorrect reply from server (seq or subject mismatch) > > > > > > Hi all > > > > From some time ago I´ve been seeing this message at > compiling/installing > > a policy on my firewall module.It happened when I had only one machine > for > > managemente and firewall, so I thought it was a load problem. Some time > > after I upgraded my firewall system (now I´ve got two machines: one > > manager and one firewall module) and then it began working fine again > for > > some time. > > > > Now that the number of rules have grown I´m watching this blooded > message > > again. I think that it can be a problem of load in the firewall module, > > which is very busy when I try to push the policy from the management > > console and it does not accept more load. > > > > Has anyone ever encountered this problem? > > > > If so, has anyone ever resolved it? How can the machine be hardened if > it > > is a load problem? > > > > Regards and thanks in advance > The Royal Bank of Scotland plc is registered in Scotland No 90312. Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. The Royal Bank of Scotland plc is regulated by IMRO, SFA and Personal Investment Authority. This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. 'Internet e-mails are not necessarily secure. The Royal Bank of Scotland plc does not accept responsibility for changes made to this message after it was sent.' ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|