Re: [FW1] TCP timeout problem with 4.1 SP2

[Jim Nelson]

What is the best way to extend the TCP connection timeout? There are two entries in the object.C file: tcptimeout and tcpendtimout. (See the article "How to change the TCP session timeout for closing connections on FireWall-1" on the secure Knowledge Base.)   Is there some combination of configuration entries that extends the TCP statetable timeout? Presently, I am using Checkpoint 4.1 SP2 and I have the tcptimeout set to 86400 seconds (24 hours). But this configuration did not resolve my problems I am experiencing with entries timing out in the statetable.   Using Checkpoint 4.0, I was able to set the "TCP Session Timeout" (tcptimeout) to 86400 seconds, and the connectivity issues went away. I want Checkpoint 4.1 SP2 to work like Checkpoint 4.0. Any ideas?... ----- Original Message ----- From: Jim Nelson To: [EMAIL PROTECTED] Sent: Tuesday, August 29, 2000 4:17 PM Subject: [FW1] TCP timeout problem with 4.1 SP2 Hello all, I have a question that maybe someone can help me with.  After installing an upgrade Checkpoint Firewall-1, I have been getting errors in the Checkpoint logs, "unknown established TCP packet". This is happening between a web-server and database that are separated by a Checkpoint firewall 4.1 SP2 cluster. The clustering software is RainWall.   There is a DB client running on the web-server that initiates 20 (something) TCP connections to the DB-server. These connections are timing out between uses, causing the error above. Consequently, the DB-server cannot send important information to the web-server, creating an error. This is not a routing issue, because the TCP session is being created and dropped on the same firewall (one member of the cluster).   The "TCP Session Timeout," under Policy/Properties, was modified to 24 hours (86400 seconds), the maximum time allow. However, as I found out later, this only seemed to exacerbate the problem. After looking at the logs the timeout went from 2 hours to under 5 minutes.   Because of the urgency of this problem, it was decided to pull the upgraded firewall (4.1 SP2) cluster out of production and put the Checkpoint 4.0 firewall back.   Looking on the knowledge base, I found a solution for "How to change the TCP session timeout for closing connections on FireWall-1". It talks about modifying the object.C file, and adding the a line for tcpendtimeout; however, it does not give any recommendation of a range of values for this configuration or how it interacts with the tcptimeout configuration (see object.C file).   Does any one know what would be a good configuration for both the tcpendtimeout and the "TCP Session Timeout" (i.e., tcptimeout)?   Thanks