|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Connection timeouts on Nokia IP boxes.
I have had the same problem recently and it's been causing hours of headache. What config's do you have? IPSO version and FW version. I found an article on Nokia's site yesterday relating to the problem you describe and I've posted it below. It relates to the default 'FLOWS' installation when you have IPSO3.3 and Checkpoint v4.1 sp2/3 specifically. I haven't tested the resolution yet (will try today) and see what happends. I coudn't find any reference to this problem with Nokia's on Phoneboy and would be interested if anyone has any technical information on Flows and the way it deals with packets (the Nokia IPSP 3.3 release notes are useless) Cheers, Jonathan Jackson Network Security Analyst AMP Group 4 Broadgate, Liverpool St London, EC2M 2PA Tel (44)[email protected] Nokia article..... Established TCP sessions are being disconnected after FW-1's TCP timeout with the error - unknown established TCP packet. This issue only appears to crop up when the following is true: 1. IPSO 3.3 2. FireWall-1 4.1 SP2 or SP3 3. Flows is enabled (it is by default) 4. The connection in question has continuous traffic. Part of this problem comes from how FireWall-1 interacts with the Flows feature. Flows moves the packets through the OS without involving FireWall-1, so FireWall-1 doesn't "reset" the timer value for the entry in the connections table. When the connection is about to expire, FireWall-1 queries IPSO to see how long it has been since it has seen a packet on the connection. If there is traffic on the connection at the exact second that FireWall-1 decides to try and "refresh" the connection table entry, the entry and the corresponding flows get deleted. TCP sessions being dropped on IPSO 3.3 and FireWall-1 4.1 SP2/SP3 Check Point FireWall-1, SecuRemote/Secure Client for version: 4.1 SP3 And Before last update: 03/01/2001 06:34:56 Established TCP sessions are being disconnected after FW-1's TCP timeout with the error - unknown established TCP packet. SOLUTION This issue only appears to crop up when the following is true: 1. IPSO 3.3 2. FireWall-1 4.1 SP2 or SP3 3. Flows is enabled (it is by default) 4. The connection in question has continuous traffic. Part of this problem comes from how FireWall-1 interacts with the Flows feature. Flows moves the packets through the OS without involving FireWall-1, so FireWall-1 doesn't "reset" the timer value for the entry in the connections table. When the connection is about to expire, FireWall-1 queries IPSO to see how long it has been since it has seen a packet on the connection. If there is traffic on the connection at the exact second that FireWall-1 decides to try and "refresh" the connection table entry, the entry and the corresponding flows get deleted. Nokia Customer Support has been able to reproduce this problem and has escalated it to Check Point. Updates to this issue will be placed here. In the meantime, you can work around this problem by disabling flows per Resolution 4188. Resolution 4188........ Detailed Resolution View -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- Resolution 4188 How do I disable firewall flows in IPSO 3.3 and later? Check Point FireWall-1, Miscellaneous for version: 4.1 SP2 And Later last update: 12/11/2000 15:47:03 Firewall Flows is designed to increase performance of FireWall-1 on the Nokia Platform. However, there may be reasons why you would want to disable it. SOLUTION To temporarily disable it, one can issue the command: ipsofwd slowpath This also clears the flows tables. To re-enable it, use the command: ipsofwd flowpath However, it may also be desirable to disable it permanently. This must be done by modifying $FWDIR/etc/rc/rc.fwload. Replace the "bolded" flowpath in the following section with slowpath: ipsctl -n net:ip:forward:available_modes | grep -q -s flowpath if ($status == 0) then ipsctl -w net:ip:forward:switch_mode flowpath else echo "FireWall-1: You are attempting to start the FW on an incompatible OS - exiting" >>& $LOGDIR/fw.log exit 1 endif You also need to modify $FWDIR/bin/fwstart. Replace the "bolded" flowpath in the following section with slowpath: if ($ipso) then # enable flows, if available. Don't need check because it is already checked! ipsofwd flowpath FireWall-1 must be re-started for this change to take effect. Once you have done that, you can not use the ipsofwd command to re-enable flows. "Dave Dunaway (ncc0296)" <[email protected]> on 10/04/2001 20:56:59 To: [email protected] cc: (bcc: Jonathan B Jackson(IT)/UK/AMP) Subject: [FW1] Connection timeouts on Nokia IPxxx boxes. I've noticed that my connections through Nokia boxes, when not used in a while, tend to timeout and die. Is there anyway to not have the boxes drop the connection? The box on which the connection is made to does not have anything which times the connection out. This even occurs when I'm ssh'ed onto the firewall itself and haven't sent any activity in a while. thanks. -- Dave Dunaway [[email protected]] ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ ___________________________________________________________________________ The information contained in this e-mail is confidential and may be legally privileged. It is intended solely for the use of the individual or entity to whom it is addressed and others explicitly authorised to receive it. If you have received this e-mail in error, please destroy it and delete it from your computer. Any disclosure, copying or distribution of the information is strictly prohibited and may be unlawful. No responsibility can be accepted to any end users for any action taken on the basis of the information. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
