<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1141" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2>The 65 seconds in your original method is one thing. Keeping
the session up and idle for hours is a big difference. I would whip out
the "New" security policy and point out to the developers that leaving sessions
open for hours is bad security and not allowed. If you are not in charge
of security policy get the policy person on your side and have them talk to the
developers. This is really a political negotiation but your instinct
not to allow it is correct.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2>Adam Safier</FONT> </DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Mike.Hancock@sourcemed.net
href="mailto:Mike.Hancock@sourcemed.net">Mike Hancock</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=safieradam@hotmail.com
href="mailto:safieradam@hotmail.com">safieradam</A> ; <A
title=vpn@lists.shmoo.com
href="mailto:vpn@lists.shmoo.com">vpn@lists.shmoo.com</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, April 04, 2003 7:24
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: [VPN] Application timeouts
over VPN...HELP!</DIV>
<DIV><BR></DIV>
<DIV><SPAN class=863332212-04042003><FONT color=#0000ff size=2>We can reset
the timers (a global setting in CP and NS) but sometimes the applications
do not interact for a couple of hours and I had rather not make sessions
viable for hours at a time. </FONT></SPAN></DIV>
<DIV><SPAN class=863332212-04042003><FONT color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=863332212-04042003><FONT color=#0000ff
size=2>Mike</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> safieradam
[mailto:safieradam@hotmail.com] <BR><B>Sent:</B> Thursday, April 03, 2003
9:13 AM<BR><B>To:</B> Mike Hancock; <A
href="mailto:vpn@lists.shmoo.com">vpn@lists.shmoo.com</A><BR><B>Subject:</B>
Re: [VPN] Application timeouts over VPN...HELP!<BR><BR></FONT></DIV>
<DIV><FONT size=2>There is a timer for TCP in the FW 4.1 policy properties
menu. I think the default is 60 seconds but it may be 40. It's
been a while. Anyway, you might change that so the firewall gives TCP
sessions much longer to get established. I don't remember on Netscreen
but it should also have a time out option.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Also, try sending large pings and just to make sure that
still works (you are checking MTU size limits, just in case.)</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>However, you should point out to the "developers" that if
their application is to work on anything but the one link, especially over
the internet with other companies, they need to fix it. Firewalls are
becoming a networking fact of life and their application will always have
problems unless they adopt and design for that fact now. </FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2>They need to have error checking in their code and
not go into endless loops. Your idea for a heartbeat is OK if they
can't get the performance to improve but the application better be a batch
job and not have user interaction. They may also need to control
MTU size. Make sure they _don't_ set the do not fragment bit on.
Sounds to me like they are in a rush, don't have good network programming
experience and are leaving error checking to be added on when they have
time, at some future point that will never come. I would be concerned
about what they are doing to make the application secure.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Adam Safier</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Mike.Hancock@sourcemed.net
href="mailto:Mike.Hancock@sourcemed.net">Mike Hancock</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=vpn@lists.shmoo.com
href="mailto:vpn@lists.shmoo.com">vpn@lists.shmoo.com</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Wednesday, April 02, 2003 10:24
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [VPN] Application timeouts
over VPN...HELP!</DIV>
<DIV><BR></DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2>We have a good and solid
VPN between a Checkpoint and a NetScreen, its up and solid. I can send 100
pings and get 100% response. Ping times across the tunnel are 63ms
average. The developers for each company keep saying that the
"firewall" is dropping the packets. And it is. Application A starts
the session(syn), App B answers(synack), App A(ack)....no problem. The
apps even talks out to the correct DST ports. Problem comes when App A
tries to send info over the established session (example src port 2565)
but sends it out 65 seconds since the last communications, the firewalls
time out the session and App A should resend over a new source port. It
never does. It will try till its dying days to communicate over that FIRST
session.</FONT></SPAN></DIV>
<DIV><SPAN class=512540615-02042003><FONT
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2>I am a router firewall
guy and not a programmer, is there anything that I can do to lessen the
problem from a firewall/VPN point of view? I keep saying that they need to
speed up response times on their TCP communications and send "heartbeats".
They call me "Non-Helpful"</FONT></SPAN></DIV>
<DIV><SPAN class=512540615-02042003><FONT
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2>I just want to fix it.
Any ideas?</FONT></SPAN></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><SPAN class=512540615-02042003><FONT size=2>App A
-----------------Checkpoint========INTERNET===========NetScreen----------------------App
B</FONT></SPAN></DIV>
<DIV><SPAN class=512540615-02042003><FONT
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=512540615-02042003><FONT
size=2></FONT></SPAN> </DIV><!-- Converted from text/rtf format -->
<P align=left><FONT size=2><SPAN
lang=en-us>_______________________________</SPAN> <BR><SPAN
lang=en-us><B>Mike
</B></SPAN></FONT></P></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>