Sukhpreet Singh wrote:
>
> See if this helps you. Good luck.
>
> http://www.phoneboy.com/fw1/faq/0097.html
I was under the impression that the answer above addresses issues in
version prior to 4.1
On phoneboy there is another link,
http://www.phoneboy.com/fw1/faq/0408.html
which talks about this issue and provides a solution on how to disable
the logging of these packets.
OTOH there is nothing related to the increasing of value.
If I am not wrong there were some previous postings on this issue last
week(s).
Cristian
>
> -----Original Message-----
> From: Jim Nelson
> To: [EMAIL PROTECTED]
> Sent: 8/29/00 6:17 PM
> Subject: [FW1] TCP timeout problem with 4.1 SP2
>
> Hello all,
>
> I have a question that maybe someone can help me with. After installing
> an upgrade Checkpoint Firewall-1, I have been getting errors in the
> Checkpoint logs, "unknown established TCP packet". This is happening
> between a web-server and database that are separated by a Checkpoint
> firewall 4.1 SP2 cluster. The clustering software is RainWall.
>
> There is a DB client running on the web-server that initiates 20
> (something) TCP connections to the DB-server. These connections are
> timing out between uses, causing the error above. Consequently, the
> DB-server cannot send important information to the web-server, creating
> an error. This is not a routing issue, because the TCP session is being
> created and dropped on the same firewall (one member of the cluster).
>
> The "TCP Session Timeout," under Policy/Properties, was modified to 24
> hours (86400 seconds), the maximum time allow. However, as I found out
> later, this only seemed to exacerbate the problem. After looking at the
> logs the timeout went from 2 hours to under 5 minutes.
>
> Because of the urgency of this problem, it was decided to pull the
> upgraded firewall (4.1 SP2) cluster out of production and put the
> Checkpoint 4.0 firewall back.
>
> Looking on the knowledge base, I found a solution for "How to change the
> TCP session timeout for closing connections on FireWall-1". It talks
> about modifying the object.C file, and adding the a line for
> tcpendtimeout; however, it does not give any recommendation of a range
> of values for this configuration or how it interacts with the tcptimeout
> configuration (see object.C file).
>
> Does any one know what would be a good configuration for both the
> tcpendtimeout and the "TCP Session Timeout" (i.e., tcptimeout)?
>
> Thanks
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
