Rajeev, They didn't offer a workaround, only a timeframe for the next release which is supposed to be June 2006, which is supposed to have some tuneable re-assembly timeout parameter. The new parameter 'timeout' will be added here:
# ipsctl -a net:ip:reass:stats:vr Perhaps somebody can verify if said parameter is already included in 4.x? Werner -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Rajeev Gupta Sent: Monday, May 15, 2006 08:33 To: [email protected] Subject: Re: [FW-1] message: Virtual defragmentation error: Timeout Thanks for the update, Werner. But what is to be done before the next release? ingnore? Rajeev On 5/15/06, Brockhoven, Werner <[EMAIL PROTECTED]> wrote: > Hi, > > I was just informed by Nokia that there is a known issue in IPSO 3.9 > B045 and should be fixed in the next release. > > Werner > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of Rajeev > Gupta > Sent: Friday, May 12, 2006 15:09 > To: [email protected] > Subject: Re: [FW-1] message: Virtual defragmentation error: Timeout > > You may like to tweak fwfrag_limit and fwfrag_timeout parameters - > specifically in the context of your error message, increasing > fwfrag_timeout may help a bit - these are firewall's defragmentation > parameters. However, if small tweaks do not help, the best ultimate > solution is what you have already indicated: decreasing the mtu on the > CCTV site. > > hth, > > Rajeev > > On 5/11/06, Matt Rose <[EMAIL PROTECTED]> wrote: > > Hi, > > > > We are trying to access a CCTV website. > > > > Return traffic is getting dropped with Information: > > > > message: Virtual defragmentation error: Timeout > > ip_id: 60365 > > ip_len: 0 > > ip_offset: 0 > > fragments_dropped: 5 > > during_sec: 60 > > > > I understand these drops are a feature of how Checkpoint handles > fragmented packets. > > > > I have searched SecureKnowledge & Google and can not see how to > configure Checkpoint to allow this, I would guess Global Properties, > Stateful Inspection, Other IP protocols virtual session timeout??? > > > > This is happening on Nokia & Alteon firewalls with different versions > of IPSO and Checkpoint on in a Provider1 environment. > > > > Would reducing the MTU size setting on the web server hosting the CCTV > website sort this? > > > > TIA, > > Matt. > > > > > > > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
