Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] ack out of state!

To: [email protected]
Subject: Re: [FW-1] ack out of state!
From: Eric Schroeder <[email protected]>
Date: Wed, 13 Aug 2003 08:02:00 -0600
In-reply-to: <000c01c36145$6a30da10$6501010a@PC>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

By default, the firewall will timeout any connections after 3600 seconds
(1 hour).  Your citrix connections are probably being kept opened a lot
longer than that, so after an hour they will be timeout, taken out of the
fw state table, and you will get this error.  There are several possible
solutions.

You can adjust the global TCP session timeout in the Global Properties ->
Stateful Inspection section.

You should also be able to deselect "Drop out of state TCP packets" and
the firewall will recompare the traffic to the policy after the timeout is
reached instead of just dropping it.  (I have experienced some problems
with this working in the past with NG, but have not seen any problems
since FP3.  Anyone else have any experiences?)

You can also adjust the TCP session timeout on a per protocol basis.  Open
the Citrix TCP service, select "Advanced", and at the bottom you can
change the "Session Timeout" from using the default value to using a
higher value.  (You can try setting the value to zero, in the 4.1 days
this would cause the session to never timeout, but I do not know what it
will do in NG)

Hope this helps.

Eric Schroeder




Will Black <[email protected]>
Sent by: Mailing list for discussion of Firewall-1
<[email protected]>
08/12/2003 08:48 PM
Please respond to
Mailing list for discussion of Firewall-1
<[email protected]>


To
[email protected]
cc

Subject
[FW-1] ack out of state!






Ever seen this message, just started happening out of the blue.

th_flag 10 = ack out of state
> th_flag 18 = push+ack out of state

It is killing the citrix connections, any thoughts would be welcome!

Will Black



=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] ack out of state!
  - From: Will Black <[email protected]>

References:
- [FW-1] ack out of state!
  - From: Will Black <[email protected]>

Prev by Date: Re: [FW-1] Kazaa, Overnet, eDonkey, WinMX and other P2P Applications....
Next by Date: Re: [FW-1] Kazaa, Overnet, eDonkey, WinMX and other P2P Applications....
Previous by thread: Re: [FW-1] ack out of state!
Next by thread: Re: [FW-1] ack out of state!
Index(es):
- Date
- Thread