[VPN] Application timeouts over VPN...HELP!

Alex Pankratov alex at cipherica.com
Wed Apr 2 13:33:39 EST 2003


Mike Hancock wrote:
> We have a good and solid VPN between a Checkpoint and a NetScreen, its 
> up and solid. I can send 100 pings and get 100% response. Ping times 
> across the tunnel are 63ms average.  The developers for each company 
> keep saying that the "firewall" is dropping the packets. And it is. 
> Application A starts the session(syn), App B answers(synack), App 
> A(ack)....no problem. The apps even talks out to the correct DST ports. 
> Problem comes when App A tries to send info over the established session 
> (example src port 2565) but sends it out 65 seconds since the last 
> communications, the firewalls time out the session and App A should 
> resend over a new source port. It never does. It will try till its dying 
> days to communicate over that FIRST session.

Regardless of the respective position of VPN terminator and the 
firewall, the problem is clearly in the firewall setup. I'm not an 
admin, so I'll leave troubleshooting to other people :) But ..

>  
> I am a router firewall guy and not a programmer, is there anything that 
> I can do to lessen the problem from a firewall/VPN point of view? I keep 
> saying that they need to speed up response times on their TCP 
> communications and send "heartbeats". They call me "Non-Helpful"

.. being a programmer myself I can comment on this though. Using 
application-level heartbeats to keep-alive *TCP* connection is not a 
good idea for a number of reasons. One of them is an unability to 
guarantee heartbeat intervals even with 10-sec precision (caused in part 
by traffic shaping and QoS-misbehaved routers), which renders the whole
idea useless.

/alex




More information about the VPN mailing list