Stateful Inspection Override

biskit — Tue, 25 Jun 2019 09:22:44 GMT

A customer has a video conference system which keeps disconnecting. At the time of the disconnections, the firewall logs show a couple of "out of state" drops, then it carries on normally again for a while, then a few more "out of state" drops.

The drops are always only on port TCP 2776.

There is also tons of working/allowed traffic between the SRC and DST on TCP 2776.

I've created a custom service for TCP 2776 and extended the Virtual Session Timeout to the max of 86400. This hasn't fixed it.

Next, in an attempt to prove the point that it is actually out of state I've tried to turn off stateful inspection for the video conference IP's. I've inserted the following in to $FWDIR/conf/user.def.FW:

/* Start of INSPECT modification - sk11088 */ deffunc user_accept_non_syn() { (src=192.168.1.189) or (src=192.168.1.190) and (dport = 2776) }; /* End of INSPECT modification */

This hasn't fixed it either. Same disconnections and drops in the log.

Does anyone have any other ideas to try before I tell the customer there's nothing else I can do on the firewall (e.g. go fix your VC system!)?

(I haven't disabled SecureXL yet - maybe I should try that?)

Thanks,

Matt

topic Re: Stateful Inspection Override in General Topics

Stateful Inspection Override

Re: Stateful Inspection Override