| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] tcp session timeout
Hi Quentin.
We had the same problem and the session drop after 1 hour. Yes the policy
properteries has an entry tcp sesion timeout 3600 sec.
What we did was a change in the init.def file as follows:
#define ADD_TCP_TIMEOUT(port,to) (record <port;to> in tcp_timeouts)
(
<0> in tcp_timeouts
) or (
ADD_TCP_TIMEOUT(21,FTP_CONTROL_TIMEOUT),
ADD_TCP_TIMEOUT(1521,28800), **** add this line and the timeout
will be 8 hours instead
ADD_TCP_TIMEOUT(0,0)
);
#endif /* __init_def__ */
The init.def file is located in $FWDIR/lib/
This is the only way to change the tcp timeout for a specific port.
I hope this help.
Regards
Johan
----- Original Message -----
From: "Quentin Antrim" <[email protected]>
To: <[email protected]>
Sent: Wednesday, January 24, 2001 10:59 PM
Subject: [FW1] tcp session timeout
>
> I've got a problem with what I think is a TCP session timeout between two
servers on either side of a Checkpoint Firewall. Here's the scenario:
> Checkpoint FW-1 SP3. Web server on one side of the firewall, an oracle
database on the other side using Net8. Have a rule allowing the web server
to contact the oracle server via sqlnet2 service. The web server contacts
the oracle server via sqlnet2 service, according to the logs, but then
establishes multiple TCP sessions with it using higher-level ports such as
1390, for example. These previously established sessions are used whenever
data is needed.
>
> Here's the problem:
> Occasionally, when accessing a link on the web server that requires the
web server to pull data out of the oracle database, it will fail. The
firewall logs will indicate "Reason: unknown established TCP packet",
telling me that the FW-1 thinks that this is not an established TCP session
in it's tables. Using a sniffer confirms that the packets are being sent to
a particular destination port on an already established session, but are not
passing the firewall. Using "fw tab" on FW-1 I can see that indeed, the TCP
session is no longer in its tables.
>
> When things are working correctly, the packets are going through FW-1 and
the TCP session can be found in its tables. Usually when the problem
occurs, most ports are working fine, but one particular port is not. So, my
frustration is figuring out why these sessions appear to be timing out
seemingly at random.
>
> I've also uncommented the line in lib/fwui_head.def to undo the change
that SP2 made to how TCP SYN packets and installed the policy. This did not
appear to help any. We've also tried the oracle server outside the firewall
so the firewall is out of the picture, and cannot recreate the problem,
cementing my opinion that there is definitely a problem with the firewall.
>
> Has anybody else experienced this problem? Any ideas?
>
> Thanks.
> Quentin
>
>
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
