Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] TCP Timeout problems & Legato Networker

To: [email protected]
Subject: [FW1] TCP Timeout problems & Legato Networker
From: Craig Foster <[email protected]>
Date: Tue, 26 Jun 2001 10:03:18 +0100 (BST)
Cc: [email protected]
Reply-to: Craig Foster <[email protected]>
Sender: [email protected]

FireWall-1 Version 4.1 Build 41821
IPSO 3.3-FCS3  09.14.2000-234849 i386
Solstice Backup 5.5.1 (aka Legato Networker)

I'm having problems running Legato Networker backups through the firewall.
It's not an issue with the rulebase, as I've tried with 'accept all' between
the relevant hosts and get the same problem.  I have the correct ports
configured within Networker.

Here's the situation.  Backup server on internal LAN, client in DMZ.  At
scheduled time, server contacts client and there are then a number of conn's
both ways whilst the client sends data to the server for backup.

An example from yesterday's f/w connections table:

<CLIENT, 0000271e, SERVER, 00002747, 00000006; 00000000, 00000001,
   ffffff00; 131/300>
   
Connection is from src-port 10014 to svc-port 10055.  (Diversion - why Legato
connects to high service ports I don't know, but without these allowed through
the f/w it doesn't get far).

Saw this in the table for 300s, then gone.

Then, more than 5 mins later, client appears to try to send a packet on this
connection, which is dropped by the f/w (Rule 0, unknown established 
connection).  Client continues to try until the Networker timeout is reached.

Why does the client try to use this conn?  Because both it and the server 
believe the conn is still established...

server# netstat
SERVER.10055  CLIENT.10014 24820  0 24820  0 ESTABLISHED

client# netstat
CLIENT.10014  SERVER.10055 24820    77 24820     0 ESTABLISHED

So it's only the f/w that has dropped the conn, after the 5 min timeout.

Question is, why is the timeout 5 mins?  F/w policy properties has TCP 
timeout at 7200s.  Is the problem elsewhere?  Any help with this would be
much appreciated.  I've cross-posted this to both firewall-1 and legato lists
as I think it has relevance to both.

Thanks for any help

Craig

--
Craig Foster
System Administrator





================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] FW log working slowly
Next by Date: [FW1] Site says that it is not a CA
Previous by thread: RE: [FW1] Secure Remote + 2 Internal DNS
Next by thread: [FW1] Site says that it is not a CA
Index(es):
- Date
- Thread