https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dropped-quot-PSH-ACK-quot-Override-Session-Timeout-questions/m-p/118631#M16791 <P>Hello CheckMates,</P><P>&nbsp;</P><P>we have recently moved our Client VPN Gateways from behind an OpnSense behind our Checkpoint Cluster.</P><P>Since then, one of our teams complain about connections resets of their applications.</P><P>&nbsp;</P><P>I could see, that there are lots of "PSH-ACK" dropped out of state and after doing some investigation, I see that the default session timeout of OpnSense is set to 86400 Seconds vs. 3600 of Checkpoint.</P><P>I have then created a TCP Object, dealing with Ports 8440-8450 and set the Virtual Session Timeout to 86400 but the behaviour didn't change.</P><P>I have then checked via fw ctl conntab and could see, that the sessions were still created with 3600 sec.</P><P>&lt;(inbound, src=[10.255.216.196,52396], dest=[10.49.2.138,8444], TCP); 1863/3015, rule=104, tcp state=TCP_ESTABLISHED, service=3600, conn modules: Authentication, FG-1&gt;</P><P>So in the next step, I have created a dedicated object for port 8444 and now I can at least see, that the session timer is at 20879 sec.</P><P>&lt;(inbound, src=[10.255.226.75,55032], dest=[10.49.2.138,8444], TCP); 20823/20879, rule=104, tcp state=TCP_ESTABLISHED, service=663, conn modules: Authentication, FG-1&gt;</P><P>&nbsp;</P><P>Question one:</P><P>Does the virtual session timeout for port ranges not work?</P><P>Since this is matching an "any service" rule - could it be that our high port object (TCP-1024-64535) interferes here?</P><P>Both, the small port range and the high-ports have a "match any" flag. As per the logs, the correct object matched, though.</P><P>&nbsp;</P><P>Question two:</P><P>Why do I only see a session time of 20879 s in the conntab, while the time is set 86400 sec. in the port object.</P><P>&nbsp;</P><P>Thanks in advance!</P><P>&nbsp;</P><P>BR,</P><P>Tom</P> Tue, 18 May 2021 12:02:38 GMT T_Sonnberger 2021-05-18T12:02:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dropped-quot-PSH-ACK-quot-Override-Session-Timeout-questions/m-p/118631#M16791 <P>Hello CheckMates,</P><P>&nbsp;</P><P>we have recently moved our Client VPN Gateways from behind an OpnSense behind our Checkpoint Cluster.</P><P>Since then, one of our teams complain about connections resets of their applications.</P><P>&nbsp;</P><P>I could see, that there are lots of "PSH-ACK" dropped out of state and after doing some investigation, I see that the default session timeout of OpnSense is set to 86400 Seconds vs. 3600 of Checkpoint.</P><P>I have then created a TCP Object, dealing with Ports 8440-8450 and set the Virtual Session Timeout to 86400 but the behaviour didn't change.</P><P>I have then checked via fw ctl conntab and could see, that the sessions were still created with 3600 sec.</P><P>&lt;(inbound, src=[10.255.216.196,52396], dest=[10.49.2.138,8444], TCP); 1863/3015, rule=104, tcp state=TCP_ESTABLISHED, service=3600, conn modules: Authentication, FG-1&gt;</P><P>So in the next step, I have created a dedicated object for port 8444 and now I can at least see, that the session timer is at 20879 sec.</P><P>&lt;(inbound, src=[10.255.226.75,55032], dest=[10.49.2.138,8444], TCP); 20823/20879, rule=104, tcp state=TCP_ESTABLISHED, service=663, conn modules: Authentication, FG-1&gt;</P><P>&nbsp;</P><P>Question one:</P><P>Does the virtual session timeout for port ranges not work?</P><P>Since this is matching an "any service" rule - could it be that our high port object (TCP-1024-64535) interferes here?</P><P>Both, the small port range and the high-ports have a "match any" flag. As per the logs, the correct object matched, though.</P><P>&nbsp;</P><P>Question two:</P><P>Why do I only see a session time of 20879 s in the conntab, while the time is set 86400 sec. in the port object.</P><P>&nbsp;</P><P>Thanks in advance!</P><P>&nbsp;</P><P>BR,</P><P>Tom</P> Tue, 18 May 2021 12:02:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dropped-quot-PSH-ACK-quot-Override-Session-Timeout-questions/m-p/118631#M16791 T_Sonnberger 2021-05-18T12:02:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dropped-quot-PSH-ACK-quot-Override-Session-Timeout-questions/m-p/118957#M16841 <P>What version/JHF level?<BR />I could see potentially needing a more specific service definition for timeouts, but the "wrong" timeout for port 8444 is definitely wrong.<BR />TAC case suggested here.</P> Thu, 20 May 2021 18:02:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dropped-quot-PSH-ACK-quot-Override-Session-Timeout-questions/m-p/118957#M16841 PhoneBoy 2021-05-20T18:02:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dropped-quot-PSH-ACK-quot-Override-Session-Timeout-questions/m-p/119008#M16842 <P>Hi PhoneBoy,</P><P>&nbsp;</P><P>thanks for the reply.</P><P>&nbsp;</P><P>Version is 80.30 - Take 200</P><P>&nbsp;</P><P>Regarding the timers, I will open a case with the support. Thanks for confirmation.</P><P>&nbsp;</P><P>BR,</P><P>Tom</P> Fri, 21 May 2021 04:40:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dropped-quot-PSH-ACK-quot-Override-Session-Timeout-questions/m-p/119008#M16842 T_Sonnberger 2021-05-21T04:40:00Z