- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
We have an issue regarding a specific connection on a S2S VPN between a CP cluster and Cisco ASA.
Specifically, whilst the tunnel poses no issues and everything seems to be fine, an IBM AS/400 server is behind the CP and the clients accessing it are behind the ASA.
The clients complain that the sessions all of a sudden close after an arbitrary amount of time.
I have proceeded with creating a new telnet service with the following characteristics, but the issue seems to still occur.
Any ideas ?
Regards
Check your IPS if you run it and core protections. I had AS/400 connections blocked because Telnet is considered insecure and blocked by this blade and needed to configure exceptions.
Also, there's obviously the ASA side which might not match your protocol definitions.
It is not an IPS issue.
The connection gets established.
However after some arbitrary time the connections gets droppped and they need to relogin...
Protocol is telnet
Arbitrary like when the firewall policy is installed or when a rekey occurs for the VPN?
As Chris said this is probably related to the VPN more than the basic session timeouts, but try enabling TCP state logging to obtain more details about how and why your telnet connections are being terminated:
Is there some particular reason you are not synchronizing the telnet sessions across the cluster members? If deployed as shown in your screenshot a failover will cause all of the currently open telnet sessions to be killed on the newly active member.
Also note that the TCP connection timeout can now be increased well beyond 86400 seconds if you have the latest Jumbo HFA: sk168872: Virtual session timeout for a TCP Service (86400 seconds) is not long enough for a specifi...
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY