[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] OUT OF STATE PACKETS
HI Jason, I am going to give my friend Eric the credit for the answer included below, its worth looking at! By default, the firewall will timeout any connections after 3600 seconds (1 hour). Your citrix connections are probably being kept opened a lot longer than that, so after an hour they will be timeout, taken out of the fw state table, and you will get this error. There are several possible solutions. You can adjust the global TCP session timeout in the Global Properties -> Stateful Inspection section. You should also be able to deselect "Drop out of state TCP packets" and the firewall will recompare the traffic to the policy after the timeout is reached instead of just dropping it. (I have experienced some problems with this working in the past with NG, but have not seen any problems since FP3. Anyone else have any experiences?) You can also adjust the TCP session timeout on a per protocol basis. Open the Citrix TCP service, select "Advanced", and at the bottom you can change the "Session Timeout" from using the default value to using a higher value. (You can try setting the value to zero, in the 4.1 days this would cause the session to never timeout, but I do not know what it will do in NG) Hope this helps. Cheers Will -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Jason Cameron Sent: Wednesday, August 20, 2003 7:51 AM To: [email protected] Subject: [FW-1] OUT OF STATE PACKETS I am currently running a citrix server( on dmz subnet ) with a published app accessing another server's database on a private lan subnet . These subnets are directly connected to the nokia ip 330 ng fp2 cluster I am running . I also have dial-up customer's accessing the published application on the citrix server. The problem is I experience a huge amount of " out of state " packets in the fw log between the citrix server and the database server on the private Lan , I have checked the nic settings on the server s ( set to 100 Full dup ) and on the switches there is no auto -negotiation. I wonder has anyone set up this solution with dialup clients and wan clients using citrix published app to access a swift alliance access database ?. I dont understand why there would be so many out of state packets ?. Is the tcp timeout value to low or is it the drop out of state udp packets ? Thanks ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|