Ang: [VPN] Application timeouts over VPN...HELP!
hakan.palm at generic.se
hakan.palm at generic.se
Thu Apr 3 16:37:28 EST 2003
Mike,
have you tried tweaking the timers in the firewalls? Usually you can
modify the idletime a firewall allows before considering a TCP-session
stale and closes it.
I do believe you can change the relevant settings for FW-1 in the
object.C file. I guess there's a spiffy knob somewhere in the GUI you
kan fiddle with otherwise...
HTH
/Palm
Mike.Hancock at sourcemed.net
2003-04-02 20:24
Till: vpn at lists.shmoo.com @ INTERNET
Kopia: (Blank: Hakan Palm/Generic)
Ärende: [VPN] Application timeouts over VPN...HELP!
We have a good and solid VPN between a Checkpoint and a NetScreen, its
up and solid. I can send 100 pings and get 100% response. Ping times
across the tunnel are 63ms average. The developers for each company
keep saying that the "firewall" is dropping the packets. And it is.
Application A starts the session(syn), App B answers(synack), App
A(ack)....no problem. The apps even talks out to the correct DST ports.
Problem comes when App A tries to send info over the established session
(example src port 2565) but sends it out 65 seconds since the last
communications, the firewalls time out the session and App A should
resend over a new source port. It never does. It will try till its dying
days to communicate over that FIRST session.
I am a router firewall guy and not a programmer, is there anything that
I can do to lessen the problem from a firewall/VPN point of view? I keep
saying that they need to speed up response times on their TCP
communications and send "heartbeats". They call me "Non-Helpful"
I just want to fix it. Any ideas?
App A
-----------------Checkpoint========INTERNET===========NetScreen---------
-------------App B
_______________________________
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030403/a0461966/attachment.htm
More information about the VPN
mailing list