Rajeev,
They didn't offer a workaround, only a timeframe for the next release
which is supposed to be June 2006, which is supposed to have some
tuneable re-assembly timeout parameter. The new parameter 'timeout'
will be added here:
# ipsctl -a net:ip:reass:stats:vr
Perhaps somebody can verify if said parameter is already included in
4.x?
Werner
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Rajeev
Gupta
Sent: Monday, May 15, 2006 08:33
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] message: Virtual defragmentation error: Timeout
Thanks for the update, Werner. But what is to be done before the next
release? ingnore?
Rajeev
On 5/15/06, Brockhoven, Werner <Werner.Brockhoven AT hp DOT com> wrote:
> Hi,
>
> I was just informed by Nokia that there is a known issue in IPSO 3.9
> B045 and should be fixed in the next release.
>
> Werner
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
Rajeev
> Gupta
> Sent: Friday, May 12, 2006 15:09
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] message: Virtual defragmentation error: Timeout
>
> You may like to tweak fwfrag_limit and fwfrag_timeout parameters -
> specifically in the context of your error message, increasing
> fwfrag_timeout may help a bit - these are firewall's defragmentation
> parameters. However, if small tweaks do not help, the best ultimate
> solution is what you have already indicated: decreasing the mtu on the
> CCTV site.
>
> hth,
>
> Rajeev
>
> On 5/11/06, Matt Rose <bsod1 AT yahoo DOT com> wrote:
> > Hi,
> >
> > We are trying to access a CCTV website.
> >
> > Return traffic is getting dropped with Information:
> >
> > message: Virtual defragmentation error: Timeout
> > ip_id: 60365
> > ip_len: 0
> > ip_offset: 0
> > fragments_dropped: 5
> > during_sec: 60
> >
> > I understand these drops are a feature of how Checkpoint handles
> fragmented packets.
> >
> > I have searched SecureKnowledge & Google and can not see how to
> configure Checkpoint to allow this, I would guess Global Properties,
> Stateful Inspection, Other IP protocols virtual session timeout???
> >
> > This is happening on Nokia & Alteon firewalls with different
versions
> of IPSO and Checkpoint on in a Provider1 environment.
> >
> > Would reducing the MTU size setting on the web server hosting the
CCTV
> website sort this?
> >
> > TIA,
> > Matt.
> >
> >
> >
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
