Re: [VPN] Application timeouts over VPN...HELP!

["safieradam" <[EMAIL PROTECTED]>]

Title: Message

The 65 seconds in your original method is one thing. Keeping the session up and idle for hours is a big difference.  I would whip out the "New" security policy and point out to the developers that leaving sessions open for hours is bad security and not allowed.  If you are not in charge of security policy get the policy person on your side and have them talk to the developers.  This is really a political negotiation but your instinct not to allow it is correct.

 

Adam Safier 

----- Original Message -----

From: Mike Hancock

To: safieradam ; [EMAIL PROTECTED]

Sent: Friday, April 04, 2003 7:24 AM

Subject: RE: [VPN] Application timeouts over VPN...HELP!

We can reset the timers (a global setting in CP and NS) but sometimes the applications do not interact for a couple of hours and I had rather not make sessions viable for hours at a time.

 

Mike

-----Original Message-----
From: safieradam [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 03, 2003 9:13 AM
To: Mike Hancock; [EMAIL PROTECTED]
Subject: Re: [VPN] Application timeouts over VPN...HELP!

There is a timer for TCP in the FW 4.1 policy properties menu.  I think the default is 60 seconds but it may be 40.  It's been a while.  Anyway, you might change that so the firewall gives TCP sessions much longer to get established.  I don't remember on Netscreen but it should also have a time out option.

 

Also, try sending large pings and just to make sure that still works (you are checking MTU size limits, just in case.)

 

However, you should point out to the "developers" that if their application is to work on anything but the one link, especially over the internet with other companies, they need to fix it.  Firewalls are becoming a networking fact of life and their application will always have problems unless they adopt and design for that fact now. 

 

They need to have error checking in their code and not go into endless loops.  Your idea for a heartbeat is OK if they can't get the performance to improve but the application better be a batch job and not have user interaction.  They may also need to control MTU size.  Make sure they _don't_ set the do not fragment bit on.  Sounds to me like they are in a rush, don't have good network programming experience and are leaving error checking to be added on when they have time, at some future point that will never come.  I would be concerned about what they are doing to make the application secure.

 

Adam Safier

 

----- Original Message -----

From: Mike Hancock

To: [EMAIL PROTECTED]

Sent: Wednesday, April 02, 2003 10:24 AM

Subject: [VPN] Application timeouts over VPN...HELP!

We have a good and solid VPN between a Checkpoint and a NetScreen, its up and solid. I can send 100 pings and get 100% response. Ping times across the tunnel are 63ms average.  The developers for each company keep saying that the "firewall" is dropping the packets. And it is. Application A starts the session(syn), App B answers(synack), App A(ack)....no problem. The apps even talks out to the correct DST ports. Problem comes when App A tries to send info over the established session (example src port 2565) but sends it out 65 seconds since the last communications, the firewalls time out the session and App A should resend over a new source port. It never does. It will try till its dying days to communicate over that FIRST session.

 

I am a router firewall guy and not a programmer, is there anything that I can do to lessen the problem from a firewall/VPN point of view? I keep saying that they need to speed up response times on their TCP communications and send "heartbeats". They call me "Non-Helpful"

 

I just want to fix it. Any ideas?

 

 

App A -----------------Checkpoint========INTERNET===========NetScreen----------------------App B

 

 

_______________________________
Mike