 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
Mike Hancock wrote: We have a good and solid VPN between a Checkpoint and a NetScreen, its up and solid. I can send 100 pings and get 100% response. Ping times across the tunnel are 63ms average. The developers for each company keep saying that the "firewall" is dropping the packets. And it is. Application A starts the session(syn), App B answers(synack), App A(ack)....no problem. The apps even talks out to the correct DST ports. Problem comes when App A tries to send info over the established session (example src port 2565) but sends it out 65 seconds since the last communications, the firewalls time out the session and App A should resend over a new source port. It never does. It will try till its dying days to communicate over that FIRST session. Regardless of the respective position of VPN terminator and the firewall, the problem is clearly in the firewall setup. I'm not an admin, so I'll leave troubleshooting to other people :) But .. I am a router firewall guy and not a programmer, is there anything that I can do to lessen the problem from a firewall/VPN point of view? I keep saying that they need to speed up response times on their TCP communications and send "heartbeats". They call me "Non-Helpful" .. being a programmer myself I can comment on this though. Using application-level heartbeats to keep-alive *TCP* connection is not a good idea for a number of reasons. One of them is an unability to guarantee heartbeat intervals even with 10-sec precision (caused in part by traffic shaping and QoS-misbehaved routers), which renders the whole idea useless. /alex _______________________________________________ VPN mailing list [EMAIL PROTECTED] http://lists.shmoo.com/mailman/listinfo/vpn
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.