[VPN] Application timeouts over VPN...HELP!

Mike Hancock Mike.Hancock at sourcemed.net
Fri Apr 4 07:24:08 EST 2003 

We can reset the timers (a global setting in CP and NS) but sometimes
the applications do not interact for a couple of hours and I had rather
not make sessions viable for hours at a time. 
 
Mike

-----Original Message-----
From: safieradam [mailto:safieradam at hotmail.com] 
Sent: Thursday, April 03, 2003 9:13 AM
To: Mike Hancock; vpn at lists.shmoo.com
Subject: Re: [VPN] Application timeouts over VPN...HELP!


There is a timer for TCP in the FW 4.1 policy properties menu.  I think
the default is 60 seconds but it may be 40.  It's been a while.  Anyway,
you might change that so the firewall gives TCP sessions much longer to
get established.  I don't remember on Netscreen but it should also have
a time out option.
 
Also, try sending large pings and just to make sure that still works
(you are checking MTU size limits, just in case.)
 
However, you should point out to the "developers" that if their
application is to work on anything but the one link, especially over the
internet with other companies, they need to fix it.  Firewalls are
becoming a networking fact of life and their application will always
have problems unless they adopt and design for that fact now.  
 
They need to have error checking in their code and not go into endless
loops.  Your idea for a heartbeat is OK if they can't get the
performance to improve but the application better be a batch job and not
have user interaction.  They may also need to control MTU size.  Make
sure they _don't_ set the do not fragment bit on.  Sounds to me like
they are in a rush, don't have good network programming experience and
are leaving error checking to be added on when they have time, at some
future point that will never come.  I would be concerned about what they
are doing to make the application secure.
 
Adam Safier
 

----- Original Message ----- 
From: Mike Hancock <mailto:Mike.Hancock at sourcemed.net>  
To: vpn at lists.shmoo.com 
Sent: Wednesday, April 02, 2003 10:24 AM
Subject: [VPN] Application timeouts over VPN...HELP!

We have a good and solid VPN between a Checkpoint and a NetScreen, its
up and solid. I can send 100 pings and get 100% response. Ping times
across the tunnel are 63ms average.  The developers for each company
keep saying that the "firewall" is dropping the packets. And it is.
Application A starts the session(syn), App B answers(synack), App
A(ack)....no problem. The apps even talks out to the correct DST ports.
Problem comes when App A tries to send info over the established session
(example src port 2565) but sends it out 65 seconds since the last
communications, the firewalls time out the session and App A should
resend over a new source port. It never does. It will try till its dying
days to communicate over that FIRST session.
 
I am a router firewall guy and not a programmer, is there anything that
I can do to lessen the problem from a firewall/VPN point of view? I keep
saying that they need to speed up response times on their TCP
communications and send "heartbeats". They call me "Non-Helpful"
 
I just want to fix it. Any ideas?
 
 
App A
-----------------Checkpoint========INTERNET===========NetScreen---------
-------------App B
 
 

_______________________________ 
Mike 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20030404/59be50ef/attachment.htm

More information about the VPN mailing list