Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] message: Virtual defragmentation error: Timeout

from Brockhoven, Werner [Permanent Link]
Subject: Re: [FW-1] message: Virtual defragmentation error: Timeout
From: "Brockhoven, Werner" <Werner.Brockhoven AT HP DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Thu, 11 May 2006 15:28:08 +0200 
Hi,

Besides increasing the virtual session timeout you could also try
enabling SecureXL.

I've seen these errors before as well.  Feedback that I got from Nokia
was, that enabling securexl(yes even on Nokia as of IPSO 3.8) could
solve the issue.  I have seen at least one case where it solved the
issue.  Unfortunately it did cause some problems with ftp security
server for which I currently still have a ticket open.

Regards,

Werner 

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Matt
Rose
Sent: Thursday, May 11, 2006 15:04
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] message: Virtual defragmentation error: Timeout

Hi,
 
We are trying to access a CCTV website.
 
Return traffic is getting dropped with Information:
 
message: Virtual defragmentation error: Timeout
ip_id: 60365
ip_len: 0
ip_offset: 0
fragments_dropped: 5
during_sec: 60
 
I understand these drops are a feature of how Checkpoint handles
fragmented packets.
 
I have searched SecureKnowledge & Google and can not see how to
configure Checkpoint to allow this, I would guess Global Properties,
Stateful Inspection, Other IP protocols virtual session timeout???
 
This is happening on Nokia & Alteon firewalls with different versions of
IPSO and Checkpoint on in a Provider1 environment.
 
Would reducing the MTU size setting on the web server hosting the CCTV
website sort this?
 
TIA,
Matt.

 
 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] NGX R61 now available, but it's going to cost you, Russell Aspinwall
Next by Date:  Re: [FW-1] Possible Spam:FW-1-MAILINGLIST Digest - 9 May 2006 to 10 May 2006 (#2006-125), Tahir Khan
Previous by Thread:  [FW-1] message: Virtual defragmentation error: Timeout, Matt Rose
Next by Thread:  Re: [FW-1] message: Virtual defragmentation error: Timeout, Christian Chiaverini
Indexes:  [Date] [Thread] [Top] [All Lists]