https://community.checkpoint.com/t5/General-Topics/R80-20-Port-reuse-problem/m-p/83509#M16889 <P>Hi all,</P><P>This is my first post here. I had read a lot of posts before that helped me several times (thank you very much!) but it’s my first time writing something.</P><P>I’m facing a problem with one of our customers. He’s using a Bluecoat web proxy with persistent connections to connect to an Apache web server (Linux) on our side. There is a R80.20 gateway between us.</P><P>Sometimes, some of the connections become idle and so, our Apache is closing them once the Apache keepalive timeout is over.</P><P>When it happens, the Apache server sends a FIN packet that is acknowledged by the remote web proxy. However, the proxy is not sending back its FIN packet. Therefore, the TCP/IP stack of the web server operating system ends closing the socket.</P><P>The problem is that in that case, the connection remains in the gateway connections table until the session timeout is over (3600 seconds).</P><P>If there is a new connection meanwhile from the remote web proxy using the same source port, the gateway drops it with the following message seen in debug mode: “dropped by fw_handle_old_conn_recovery Reason: TCP packet that belongs to an old connection;”.</P><P>I thought that Smart Connection Reuse setting (which is enabled in our gateway) would avoid that kind of situations but maybe I haven’t really understood how it works.</P><P>Anyone else had a similar problem ?</P><P>&nbsp;</P><P>Thank you very much for your help.</P><P><BR />Regards.</P> Tue, 28 Apr 2020 16:00:54 GMT itcs 2020-04-28T16:00:54Z https://community.checkpoint.com/t5/General-Topics/R80-20-Port-reuse-problem/m-p/83509#M16889 <P>Hi all,</P><P>This is my first post here. I had read a lot of posts before that helped me several times (thank you very much!) but it’s my first time writing something.</P><P>I’m facing a problem with one of our customers. He’s using a Bluecoat web proxy with persistent connections to connect to an Apache web server (Linux) on our side. There is a R80.20 gateway between us.</P><P>Sometimes, some of the connections become idle and so, our Apache is closing them once the Apache keepalive timeout is over.</P><P>When it happens, the Apache server sends a FIN packet that is acknowledged by the remote web proxy. However, the proxy is not sending back its FIN packet. Therefore, the TCP/IP stack of the web server operating system ends closing the socket.</P><P>The problem is that in that case, the connection remains in the gateway connections table until the session timeout is over (3600 seconds).</P><P>If there is a new connection meanwhile from the remote web proxy using the same source port, the gateway drops it with the following message seen in debug mode: “dropped by fw_handle_old_conn_recovery Reason: TCP packet that belongs to an old connection;”.</P><P>I thought that Smart Connection Reuse setting (which is enabled in our gateway) would avoid that kind of situations but maybe I haven’t really understood how it works.</P><P>Anyone else had a similar problem ?</P><P>&nbsp;</P><P>Thank you very much for your help.</P><P><BR />Regards.</P> Tue, 28 Apr 2020 16:00:54 GMT https://community.checkpoint.com/t5/General-Topics/R80-20-Port-reuse-problem/m-p/83509#M16889 itcs 2020-04-28T16:00:54Z https://community.checkpoint.com/t5/General-Topics/R80-20-Port-reuse-problem/m-p/83577#M16913 <P>There is a kernel parameter that controls this behaviour. Look into&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk24960" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk24960</A></P> Wed, 29 Apr 2020 07:49:30 GMT https://community.checkpoint.com/t5/General-Topics/R80-20-Port-reuse-problem/m-p/83577#M16913 _Val_ 2020-04-29T07:49:30Z https://community.checkpoint.com/t5/General-Topics/R80-20-Port-reuse-problem/m-p/83579#M16915 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/181">@_Val_</a>&nbsp;</P><P>Thank you for your answer.</P><P>This parameter was already enabled in our gateway (fwconn_smart_conn_reuse = 1) but it's not working as I would expect unless I'm misunderstanding this setting.</P><P>&nbsp;</P><P>Is there maybe another parameter that could be overriding that one ?</P> Wed, 29 Apr 2020 08:00:00 GMT https://community.checkpoint.com/t5/General-Topics/R80-20-Port-reuse-problem/m-p/83579#M16915 itcs 2020-04-29T08:00:00Z