Clovertech

Firewall / vpn timeout

Clovertech Forums Read Only Archives Cloverleaf Cloverleaf Firewall / vpn timeout

  • Creator
    Topic
  • June 24, 2005 at 4:59 pm #47860
    Anonymous
    Participant

      Hi all,

      We have a problem with a firewall cutting off a connection if the interface is idle for an extended period.  We have the timeout on the firewall set up to its max of 24 hours. unfotunately this does not handle weekends when the ancillary system has almost no volume.

      We are concidering sending a ZPI messages every few minutes to keep the connection alive.  This ZPI would be ignored by the downstream system.

      I thought someone once talked about a pdl that would take care of this issue tat the tcp layer rather than my application layer solution.  Any info or suggestions greatly apprieciated.

      Thanks.

    • Creator
      Topic
    Viewing 2 reply threads
    • Author
      Replies
      • June 24, 2005 at 5:10 pm #56926
        Daniel Lee
        Participant

          When we were having this problem our network guy just had nagios send a ping every 15 minutes to keep the VPN tunnel up.  This seemed to work fine.

        • June 24, 2005 at 7:41 pm #56927
          Michael Hertel
          Participant

            This is from the archive:

            The author is Mike.Golovach@vtmednet.org

            If you’re on AIX, this is the solution. It sure saved me

            a lot of heartache.

            >>>>>>>>

            We had this same problem and I tried everything including letting an

            alert create a keep alive message. But the vendor would not agree to

            doing the same thing on their end of the interface for their outbound

            thread … which was a good thing. It forced me to keep digging.

            The issue was that our TCP/IP (AIX 5.2) was configured with all of the

            default timeout values. The TCP_keepidle parameter needed to be set to

            an interval shorter that Cisco timeout value. We set ours to 3600 and

            the problem was solved.

            Michael

            >>>>>>>>

          • June 25, 2005 at 3:40 pm #56928
            Anonymous
            Participant

              Thanks Michael,

              I’ll give this info to my security person and see if this might work!

          • Author
            Replies
          Viewing 2 reply threads
          • The forum ‘Cloverleaf’ is closed to new topics and replies.