[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] AW: [FW-1] TCP session timeout and long FTP transfers
Hello, In fact FW-1 does not behave like you'd expect ;-) We had a similar problem (FW-1 V4.1 SP4 on Solaris) and we solved it like this: go to the system where your management is running on (usually the same as the filter, maybe an own management console in larger installations) and edit the file "/opt/CPfw1-41/lib/init.def". There at the end you will find the definitions for timeout characteristics for specific ports. Normally it reads like this: #define ADD_TCP_TIMEOUT(port,to) (record <port;to> in tcp_timeouts) ( <0> in tcp_timeouts ) or ( ADD_TCP_TIMEOUT(21,FTP_CONTROL_TIMEOUT), ADD_TCP_TIMEOUT(0,0) ); And you should change it to read as follows #define ADD_TCP_TIMEOUT(port,to) (record <port;to> in tcp_timeouts) ( <0> in tcp_timeouts ) or ( // ADD_TCP_TIMEOUT(21,FTP_CONTROL_TIMEOUT), ADD_TCP_TIMEOUT(21,3600*n), // where _n_ is your desired amount of hours ADD_TCP_TIMEOUT(0,0) ); If you had to change the other FTP port as well you could add ADD_TCP_TIMEOUT(20,3600*8) Then do a "fwstop; fwstart" and reinstall your rulebase. This should fix your problem. This problem is also mentioned at Phoneboy's Website (http://www.phoneboy.com/faq/0203.html). Good luck! Mit freundlichem Gruss / with kind regards, Bernd Fritzsche - Network Engineering / FIT-EN --- Heidelberger Druckmaschinen AG - Gutenbergstrasse - D-69168 Wiesloch POTS/Fax +49 (0)6222 82 2845/3440 - [email protected] > -----Ursprungliche Nachricht----- > Von: Aleksey Mikhaylov [mailto:[email protected]] > Gesendet: Donnerstag, 18. Oktober 2001 23:23 > An: [email protected] > Betreff: [FW-1] TCP session timeout and long FTP transfers > > > Hello, > > I'm seeing the following behavior on my firewall: when during > FTP session > the file transfer takes longer than TCP session timeout, the > FTP control > connection gets removed from the state table, even though > there's activity > on the ftp-data channel. Is this supposed to be like that ? > I'd assume that even though there's no activity on the ftp control TCP > connection for longer than session timeout, the connection > should be kept in > the table, because FTP data trasfer is part of the same session. > > Thank you, > > Aleksey > > Aleksey > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|