[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] ssh connections lost
I have been experiencing similar problems. I have not noticed them in environments running CP2K SP3 with the unsightly "ALLOW_NON_SYN_RULEBASE_MATCH" workaround. I suspect the session is being purged from the state table for some reason and/or keepalive traffic is being dropped. peter lukas On Wed, 7 Feb 2001, corne wrote: > > Hi folks > > thanks for the many responses already received - unfortunately, it is not > the tcp timeout that is to blame - I have already set timeout for ssh to > 24h. The drops that we are experiencing are even happening in less time than > the default 2h timeout (like 5min eg). Unfortunately the time taken before a > session drops is also completely variable, ranging from 5min to much longer. > > regards > corne > > > it's not just ssh, also telnet, oracle, etc. > > > > cheers > > corne > > > > > I have a situation where ssh connections from inside the fw > > dies some > > > arbitrary time after they were started. > > > > > > Doing a sniff on the network (both sides of the fw) reveals > > > the following: > > > packets happily flow from the client to the server. At some > > > stage the client > > > sends another packet, at which point the server doesn't > > > respond. This is the > > > stage where the ssh connection is now dead. The client now > > > sends a bunch of > > > retransmits, thinking that the session is still up. > > > > > > After the session drops, I see dropped packets in the fw log, > > > with the error > > > "unknown established tcp packet". This would indicate that > > > the fw no longer > > > has an entry in its state table for that connection. > > > > > > But why would the connection disappear from the table? From a > > > network sniff, > > > there is no indication that a reset or fin is sent, or > > > anything like that. > > > It seems as if the fw is arbitrarily removing that connection. > > > > > > Any ideas? > > > > > > Regards > > > Corne van Dyk > > > Dimension Data: Network security engineer > > > Tel: +27 21 659 2540 > > > Fax: +27 21 659 2101 > > > Helpdesk: +27 21 659 2112 > > > > > > > > > > > > ============================================================== > > > ================== > > > To unsubscribe from this mailing list, please see the > > > instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ============================================================== > > > ================== > > > > > > ============================================================== > > ================== > > To unsubscribe from this mailing list, please see the > > instructions at > > http://www.checkpoint.com/services/mailing.html > > ============================================================== > > ================== > > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|