Hello, I just went through that exact same problem with a customer that migrated from software version VPN-1 UTM to a UTM-1 appliance, everything used to work perfect but after the change, uploads to a MS SharePoint server were failing with timeouts, although it was not a constant issue.
Check Point support told me to change the parameters mentioned by Hugo with the following commands: # fw ctl set int fwtcpstr_allow_out_of_max_window 1 # fw ctl set int fwtcpstr_max_window 65536 But I bumped into problems because the first command one was not working on R65 w/Messaging Security HFA25 (which came from factory with the appliance), I had to go first to HFA30 and finally apply a non-publicly available hotfix the support guy put in their FTP server, in order to be able to apply the two commands. The last hotfix mentioned was named "fw1_HOTFIX_ENF_HF_HA30_056_620056001_1", so you can ask for it to support if you decide to try it. Now, since the problem was occurring only sometimes, and I applied this solution last thursday, we are still in a monitoring phase and can't be 100% sure it got completely resolved, but by the end of the day on friday, my customer reported no issues so far. Hope it helps. On Sun, Jan 18, 2009 at 5:38 PM, Hugo van der Kooij < [email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Ansar Mohammed wrote: > > Has anyone ever come across an issue where file uploads to IIS are > > intermittently dropped? > > > > We have tested the uploads with an identically configured local server > and a > > remote server on our WAN behind FW-1, and the IIS upload session times > out > > with error 500. > > Use "fw monitor" to troubleshoot. > > Common known problems: > - Running out of your TCP window. > - Exceding the normal TCP window limit of FW-1 (which happens to be > 10kB only). > - Selective acknowledgements. > > There is quite a bit about this in Secure Knowledge. Using "tcpstr" as > keyword might lead you straight to it. > > Hugo. > > - -- > [email protected] http://hugo.vanderkooij.org/ > PGP/GPG <http://hugo.vanderkooij.org/PGP/GPG>? Use: > http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > Nid wyf yn y swyddfa ar hyn o bryd. Anfonwch unrhyw waith i'w gyfieithu. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAklzvXgACgkQBvzDRVjxmYHybwCgq2gRmQ177Q9+byawr8v1uJeX > D/wAn1gK+PEFNvU8rkMQ+Pp6EGTLo/qk > =hQdg > -----END PGP SIGNATURE----- > > Scanned by Check Point Total Security Gateway. > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > -- Sergio Alvarez (506)8301342 Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
