Unknown WWW server-NGX on Splat

[jolly403]

Trying to implement a new installation of NGX on Splat. I currently run R55 on a Windows 2000 server. I got the Splat running, and most of my basic services worked fine, but then I got to a couple of websites that just timed out. The tracking logs showed "unknown

http://www server".

This mostly happened at places like Amazon-search for a book then click on the link and nothing happens. I ran into similar problems when I first installed the R55/Windows, but the same fix didn't work.

The internal user's IExplorer is set with a proxy server that is another server running Trend Micro's Interscan Web Security Suite (which works fine with old firewall). Traffic then goes through the firewall. The old firewall is configured with an HTTP resource/security server in order to provide some very basic url filtering (also, on the IWSS machine, it's gateway is not set to the firewall, so in effect the firewall is acting as an upstream proxy to the IWSS). No user authentication going on. I initially set the new firewall to be same as old one with HTTP resource but ran into this problem. I tried setting the IWSS's gateway to the firewall and removing the HTTP resouce and just allowing the standard HTTP service, but no change. New firewall has the same external DNS servers that the old one has. I can't determine any specific pattern of failure. Some sites work, some don't.

Any ideas?
Thanks much
Brian

 

[wirelesspeap]

Try this and it will work:

A- Use gui-dbedit to make changes in the following parameters:

http_avoid_keep_alive (true)

http_disable_content_enc (true)

http_disable_content_type (true)

http_allow_content_disposition (true)

http_enable_uri_queries (false)

http_max_header_length (8192)

http_buffers_size (32768)

http_connection_method_transparent (true)

http_connection_method_proxy (true)

http_connection_method_tunneling (true)

http_max_url_length (8192)

http_max_request_url_length (8192)

http_allow_double_slash (true)

http_check_request_validity (false)

http_check_response_validity (false)

http_cvp_allow_chunked (true)

http_weeding_allow_chunked (true)

http_block_java_allow_chunked (true)

http_allow_ranges (true)

enable_propfind_method (true)

D- modify the classes.C file and insert the following line after this line:

: (http_allow_store_reply :type (boolean))

: (http_match_with_host_header :type (boolean))



E-Modify the objects_5_0.C file and insert the following line after this line:

:http_allow_store_reply (false)

:http_match_with_host_header (true)



F- Modify the value “:http_max_header_length” to 8192 in the

$FWDIR/conf/asm.C file


H- Perform “cpstop;cpstart” on the SPLAT firewall

 

[jolly403]

Thank you. I will apply these settings and let you know what happens.

Sounds like you've been through this a few times...

Brian

 

[jolly403]

Bummer, no change after implementing all the above. Starting to really not like Checkpoint.

Brian

 

[wirelesspeap]

If this makes you feel any better, it works on one of
my firewalls but fails on another firewall. Identical setup. Go figure.

wirelesspeap

 

[Murdock002]

This is a problem that is fixed in a hotfix (HFA-304).
Either try to install this hotfix or try to upgrade to a later version if possible.

 

[wirelesspeap]

Murdock002,

You've been drinking too much Checkpoint kool aid.

I'm having the same issues with the following:

1) Secureplatform NG Feature Pack 3 running HFA_327,
2) Secureplatform NG with AI R55 running HFA_17,
3) Secureplatform NG with AI R55w running HFA_04,
4) Secureplatform NGx R60 with HFA_02,
5) Nokia IP380 running IPSO 3.7.1 build 020 and
NG Feature Pack 3 with HFA_327.

As I've said before, I did not have problem on a similar
system (IP710 with NG Feature Pack 3 and HFA_327).
However, I have issues from 1-5 listed above. The
problem is very intermittent so even Nokia/Checkpoint
does not have a solution for me either. They blamed the
problem on Websense. Go figure.