We've just started implementing CP gateways, starting at our corporate office. We experienced issues with an old LOB app at our remote locations app that essentially does a two-way handshake then just uses pushes to keep data going to the server here. No keepalives, no fin, just data sent as gathered, which is fairly intermittent.
This engendered a lot of drops at the firewall as the state aged out. This in turn made the remote app very unhappy, and it kept crashing.
We tried lengthening the session timeout and increasing the state timeout, to no avail. Finally, CP support suggested disabling the setting for dropping out of stat tcp packets.
This does solve the problem, but it seems that doing so disables state entirely - no way that we can see to limit it to specific subnets/addresses/ports/whatever.
Is that really the case, and if it is, what are our risks in doing so? This is making me just a tad uncomfortable, and any thoughts appreciated.
One thing I've thought about is to put up a small unit (RPi or similar) in the subnets where the remote app lives and in the subnet for the corp server, and make them gateways for this specific traffic, tunneled over IPSec. I think that would work, but I'm not technically savvy enough to be sure about that. If there are other suggestions to mitigate this, or if my concern about disabling state are out of proportion to the risk, I'd love to hear about it.
Thanks,
Kurt