That's certainly worth trying, but in my tests the drops are occuring
_before_ the TCP timeout is hit. This is also what Jim is seeing, per
his previous post. My quick fix recommendation is to disable the more
aggressive TCP session checking, per page 6 of the SP2 release notes.
I'm still working on a more complete analysis of what's happening and
why.
--
Jack Coates, Rainfinity SE
t: 408-382-4860 m: 650-280-4376
Sukhpreet Singh wrote:
>
> See if this helps you. Good luck.
>
> http://www.phoneboy.com/fw1/faq/0097.html
>
> -----Original Message-----
> From: Jim Nelson
> To: [EMAIL PROTECTED]
> Sent: 8/29/00 6:17 PM
> Subject: [FW1] TCP timeout problem with 4.1 SP2
>
> Hello all,
>
> I have a question that maybe someone can help me with. After installing
> an upgrade Checkpoint Firewall-1, I have been getting errors in the
> Checkpoint logs, "unknown established TCP packet". This is happening
> between a web-server and database that are separated by a Checkpoint
> firewall 4.1 SP2 cluster. The clustering software is RainWall.
>
> There is a DB client running on the web-server that initiates 20
> (something) TCP connections to the DB-server. These connections are
> timing out between uses, causing the error above. Consequently, the
> DB-server cannot send important information to the web-server, creating
> an error. This is not a routing issue, because the TCP session is being
> created and dropped on the same firewall (one member of the cluster).
>
> The "TCP Session Timeout," under Policy/Properties, was modified to 24
> hours (86400 seconds), the maximum time allow. However, as I found out
> later, this only seemed to exacerbate the problem. After looking at the
> logs the timeout went from 2 hours to under 5 minutes.
>
> Because of the urgency of this problem, it was decided to pull the
> upgraded firewall (4.1 SP2) cluster out of production and put the
> Checkpoint 4.0 firewall back.
>
> Looking on the knowledge base, I found a solution for "How to change the
> TCP session timeout for closing connections on FireWall-1". It talks
> about modifying the object.C file, and adding the a line for
> tcpendtimeout; however, it does not give any recommendation of a range
> of values for this configuration or how it interacts with the tcptimeout
> configuration (see object.C file).
>
> Does any one know what would be a good configuration for both the
> tcpendtimeout and the "TCP Session Timeout" (i.e., tcptimeout)?
>
> Thanks
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
