FireWall-1 Version 4.1 Build 41821
IPSO 3.3-FCS3 09.14.2000-234849 i386
Solstice Backup 5.5.1 (aka Legato Networker)
I'm having problems running Legato Networker backups through the firewall.
It's not an issue with the rulebase, as I've tried with 'accept all' between
the relevant hosts and get the same problem. I have the correct ports
configured within Networker.
Here's the situation. Backup server on internal LAN, client in DMZ. At
scheduled time, server contacts client and there are then a number of conn's
both ways whilst the client sends data to the server for backup.
An example from yesterday's f/w connections table:
<CLIENT, 0000271e, SERVER, 00002747, 00000006; 00000000, 00000001,
ffffff00; 131/300>
Connection is from src-port 10014 to svc-port 10055. (Diversion - why Legato
connects to high service ports I don't know, but without these allowed through
the f/w it doesn't get far).
Saw this in the table for 300s, then gone.
Then, more than 5 mins later, client appears to try to send a packet on this
connection, which is dropped by the f/w (Rule 0, unknown established
connection). Client continues to try until the Networker timeout is reached.
Why does the client try to use this conn? Because both it and the server
believe the conn is still established...
server# netstat
SERVER.10055 CLIENT.10014 24820 0 24820 0 ESTABLISHED
client# netstat
CLIENT.10014 SERVER.10055 24820 77 24820 0 ESTABLISHED
So it's only the f/w that has dropped the conn, after the 5 min timeout.
Question is, why is the timeout 5 mins? F/w policy properties has TCP
timeout at 7200s. Is the problem elsewhere? Any help with this would be
much appreciated. I've cross-posted this to both firewall-1 and legato lists
as I think it has relevance to both.
Thanks for any help
Craig
--
Craig Foster
System Administrator
IPSO 3.3-FCS3 09.14.2000-234849 i386
Solstice Backup 5.5.1 (aka Legato Networker)
I'm having problems running Legato Networker backups through the firewall.
It's not an issue with the rulebase, as I've tried with 'accept all' between
the relevant hosts and get the same problem. I have the correct ports
configured within Networker.
Here's the situation. Backup server on internal LAN, client in DMZ. At
scheduled time, server contacts client and there are then a number of conn's
both ways whilst the client sends data to the server for backup.
An example from yesterday's f/w connections table:
<CLIENT, 0000271e, SERVER, 00002747, 00000006; 00000000, 00000001,
ffffff00; 131/300>
Connection is from src-port 10014 to svc-port 10055. (Diversion - why Legato
connects to high service ports I don't know, but without these allowed through
the f/w it doesn't get far).
Saw this in the table for 300s, then gone.
Then, more than 5 mins later, client appears to try to send a packet on this
connection, which is dropped by the f/w (Rule 0, unknown established
connection). Client continues to try until the Networker timeout is reached.
Why does the client try to use this conn? Because both it and the server
believe the conn is still established...
server# netstat
SERVER.10055 CLIENT.10014 24820 0 24820 0 ESTABLISHED
client# netstat
CLIENT.10014 SERVER.10055 24820 77 24820 0 ESTABLISHED
So it's only the f/w that has dropped the conn, after the 5 min timeout.
Question is, why is the timeout 5 mins? F/w policy properties has TCP
timeout at 7200s. Is the problem elsewhere? Any help with this would be
much appreciated. I've cross-posted this to both firewall-1 and legato lists
as I think it has relevance to both.
Thanks for any help
Craig
--
Craig Foster
System Administrator