<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1141" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2>There is a timer for TCP in the FW 4.1 policy properties
menu. I think the default is 60 seconds but it may be 40. It's been
a while. Anyway, you might change that so the firewall gives TCP sessions
much longer to get established. I don't remember on Netscreen but it
should also have a time out option.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Also, try sending large pings and just to make sure that still
works (you are checking MTU size limits, just in case.)</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>However, you should point out to the "developers" that if
their application is to work on anything but the one link, especially over the
internet with other companies, they need to fix it. Firewalls are becoming
a networking fact of life and their application will always have problems unless
they adopt and design for that fact now. </FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2>They need to have error checking in their code and not go
into endless loops. Your idea for a heartbeat is OK if they can't get the
performance to improve but the application better be a batch job and not
have user interaction. They may also need to control MTU size.
Make sure they _don't_ set the do not fragment bit on. Sounds to me like
they are in a rush, don't have good network programming experience and are
leaving error checking to be added on when they have time, at some future point
that will never come. I would be concerned about what they are doing to
make the application secure.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Adam Safier</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Mike.Hancock@sourcemed.net
href="mailto:Mike.Hancock@sourcemed.net">Mike Hancock</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=vpn@lists.shmoo.com
href="mailto:vpn@lists.shmoo.com">vpn@lists.shmoo.com</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, April 02, 2003 10:24
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [VPN] Application timeouts over
VPN...HELP!</DIV>
<DIV><BR></DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2>We have a good and solid VPN
between a Checkpoint and a NetScreen, its up and solid. I can send 100 pings
and get 100% response. Ping times across the tunnel are 63ms average.
The developers for each company keep saying that the "firewall" is
dropping the packets. And it is. Application A starts the session(syn), App B
answers(synack), App A(ack)....no problem. The apps even talks out to the
correct DST ports. Problem comes when App A tries to send info over the
established session (example src port 2565) but sends it out 65 seconds since
the last communications, the firewalls time out the session and App A should
resend over a new source port. It never does. It will try till its dying days
to communicate over that FIRST session.</FONT></SPAN></DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2>I am a router firewall guy
and not a programmer, is there anything that I can do to lessen the problem
from a firewall/VPN point of view? I keep saying that they need to speed up
response times on their TCP communications and send "heartbeats". They call me
"Non-Helpful"</FONT></SPAN></DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2>I just want to fix it. Any
ideas?</FONT></SPAN></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2>App A
-----------------Checkpoint========INTERNET===========NetScreen----------------------App
B</FONT></SPAN></DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2></FONT></SPAN> </DIV><!-- Converted from text/rtf format -->
<P align=left><FONT size=2><SPAN
lang=en-us>_______________________________</SPAN> <BR><SPAN lang=en-us><B>Mike
</B></SPAN></FONT></P></BLOCKQUOTE></BODY></HTML>