Hi,
I was just informed by Nokia that there is a known issue in IPSO 3.9
B045 and should be fixed in the next release.
Werner
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Rajeev
Gupta
Sent: Friday, May 12, 2006 15:09
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] message: Virtual defragmentation error: Timeout
You may like to tweak fwfrag_limit and fwfrag_timeout parameters -
specifically in the context of your error message, increasing
fwfrag_timeout may help a bit - these are firewall's defragmentation
parameters. However, if small tweaks do not help, the best ultimate
solution is what you have already indicated: decreasing the mtu on the
CCTV site.
hth,
Rajeev
On 5/11/06, Matt Rose <bsod1 AT yahoo DOT com> wrote:
> Hi,
>
> We are trying to access a CCTV website.
>
> Return traffic is getting dropped with Information:
>
> message: Virtual defragmentation error: Timeout
> ip_id: 60365
> ip_len: 0
> ip_offset: 0
> fragments_dropped: 5
> during_sec: 60
>
> I understand these drops are a feature of how Checkpoint handles
fragmented packets.
>
> I have searched SecureKnowledge & Google and can not see how to
configure Checkpoint to allow this, I would guess Global Properties,
Stateful Inspection, Other IP protocols virtual session timeout???
>
> This is happening on Nokia & Alteon firewalls with different versions
of IPSO and Checkpoint on in a Provider1 environment.
>
> Would reducing the MTU size setting on the web server hosting the CCTV
website sort this?
>
> TIA,
> Matt.
>
>
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
