<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<TITLE>Message</TITLE>
<META content="MSHTML 6.00.2800.1141" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><SPAN class=863332212-04042003><FONT color=#0000ff size=2>We can reset the
timers (a global setting in CP and NS) but sometimes the applications do
not interact for a couple of hours and I had rather not make sessions viable for
hours at a time. </FONT></SPAN></DIV>
<DIV><SPAN class=863332212-04042003><FONT color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=863332212-04042003><FONT color=#0000ff
size=2>Mike</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> safieradam
[mailto:safieradam@hotmail.com] <BR><B>Sent:</B> Thursday, April 03, 2003 9:13
AM<BR><B>To:</B> Mike Hancock; vpn@lists.shmoo.com<BR><B>Subject:</B> Re:
[VPN] Application timeouts over VPN...HELP!<BR><BR></FONT></DIV>
<DIV><FONT size=2>There is a timer for TCP in the FW 4.1 policy properties
menu. I think the default is 60 seconds but it may be 40. It's
been a while. Anyway, you might change that so the firewall gives TCP
sessions much longer to get established. I don't remember on Netscreen
but it should also have a time out option.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Also, try sending large pings and just to make sure that
still works (you are checking MTU size limits, just in case.)</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>However, you should point out to the "developers" that if
their application is to work on anything but the one link, especially over the
internet with other companies, they need to fix it. Firewalls are
becoming a networking fact of life and their application will always have
problems unless they adopt and design for that fact now. </FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2>They need to have error checking in their code and not
go into endless loops. Your idea for a heartbeat is OK if they can't get
the performance to improve but the application better be a batch job and not
have user interaction. They may also need to control MTU
size. Make sure they _don't_ set the do not fragment bit on.
Sounds to me like they are in a rush, don't have good network programming
experience and are leaving error checking to be added on when they have time,
at some future point that will never come. I would be concerned about
what they are doing to make the application secure.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Adam Safier</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Mike.Hancock@sourcemed.net
href="mailto:Mike.Hancock@sourcemed.net">Mike Hancock</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=vpn@lists.shmoo.com
href="mailto:vpn@lists.shmoo.com">vpn@lists.shmoo.com</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, April 02, 2003 10:24
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [VPN] Application timeouts
over VPN...HELP!</DIV>
<DIV><BR></DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2>We have a good and solid
VPN between a Checkpoint and a NetScreen, its up and solid. I can send 100
pings and get 100% response. Ping times across the tunnel are 63ms
average. The developers for each company keep saying that the
"firewall" is dropping the packets. And it is. Application A starts the
session(syn), App B answers(synack), App A(ack)....no problem. The apps even
talks out to the correct DST ports. Problem comes when App A tries to send
info over the established session (example src port 2565) but sends it out
65 seconds since the last communications, the firewalls time out the session
and App A should resend over a new source port. It never does. It will try
till its dying days to communicate over that FIRST
session.</FONT></SPAN></DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2>I am a router firewall guy
and not a programmer, is there anything that I can do to lessen the problem
from a firewall/VPN point of view? I keep saying that they need to speed up
response times on their TCP communications and send "heartbeats". They call
me "Non-Helpful"</FONT></SPAN></DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2>I just want to fix it. Any
ideas?</FONT></SPAN></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2>App A
-----------------Checkpoint========INTERNET===========NetScreen----------------------App
B</FONT></SPAN></DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2></FONT></SPAN> </DIV><!-- Converted from text/rtf format -->
<P align=left><FONT size=2><SPAN
lang=en-us>_______________________________</SPAN> <BR><SPAN
lang=en-us><B>Mike
</B></SPAN></FONT></P></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>