- Products
- Learn
- Local User Groups
- Partners
-
More
It's Here!
CPX 360 2021 Content
Check Point Harmony
Highest Level of Security for Remote Users
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
Advanced Protection for
Small and Medium Business
Secure Endpoints from
the Sunburst Attack
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hello all,
I just upgraded our management and one of our location to R80.10 from R77.30.
We currently have a service with a very long tcp timeout period (86400 seconds) that does not work anymore after the upgrade.
After looking at the service settings it's still set to 86400 and the connections on port 1521 still timeout after a short time.
In smartlog I get TCP packet out of state drop with flags : PUSH-ACK.
It seems like my gateway is idling out my connections.
thank you for your help
Please verify that the service is being identified as the one that you have TCP timeout properties adjusted, as there is more than one service listed on 1521:
Yes. After reviewing all of my services on port tcp 1521 are with a 24h timeout rule.
I only updated the management to R80.10 and everything was working before the upgrade. There was no change to the rule base or the service base.
Try running the undocumented command fw ctl conntab which will give a nice concise list of connections including the current value of the idle timer. Will help ensure idle timers are being set as you expect for the port 1521 connections and that they are not being removed/expired for some other reason.
--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
After running your command it seems like my issue is not on the timeout side then. It shows that they all are using the 24h timeout.
I will try and look further and see where the issue lies.
Thanks for the help
Another thing to check is that timeouts are handled a bit differently when SecureXL is enabled, but that should not cause the behavior you are seeing. Try excluding the port 1521 traffic from SecureXL as specified in sk104468: How to disable SecureXL for specific IP addresses and see if it has an impact on the issue.
Enabling TCP state logging as specified in sk101221: TCP state logging may also help in determining what is happening to those connections.
--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY