Reply To: firewall problems and workarounds –

Clovertech Forums Read Only Archives Cloverleaf Cloverleaf firewall problems and workarounds – Reply To: firewall problems and workarounds –

#57657
Anonymous
Participant

    Some advocate a multiserver on cloverleaf to work around the problem.

    Keep in mind that the problem (firewall) affects both inbound and outbound connections.

    depending on how cl and vendor connections are set up, the hung connections will be eventually errored out but that time might be execcessive due to the tcp notcpack algorithims.

    cl inbound

    some advocate setting up cl as multiserver, and that would definetly allow inbound connections when the sender eventually does something to try to establish a new connection, but how long is it going to take the sender to know there is a problem and bounce their side ? There might be a lot

    of important messages that need to flow at that time that will be delayed. What might be other ramifications, security concerns, etc. ?

    cl outbound

    we still have the problem of when will tcp do its notcpack and cause a socket error so the thread will attempt a reconnect if we don’t do message timeouts, and if we do do message timeouts and resends, if we don’t do a thread down/up in a reasonable amount of time to restablish a new connection, we are still dependent on the tcpnoack. If we do a thread down/up, it doesn’t establish a new connecttion unless the reciever is in a mutliserver mode. There is also an additional problem in that of you shell out from a thread a bg processes that will stop/start the thread, it will ad

    d the that threads process environment eventually causing that process to panic when it runs out of env space.

    In these scenarios keep in mind that may be multiple firewalls invloved, 2 or more and all by different vendors – bear in mind both inbound and outbound connections, and possible vendor requirements.


    Ideally, one should be able to configure a firewall(s) for no timeout on selected connections.

    They say they cant do that.

    2nd choice would be tcp keepalives – cloverelaf does not support opening a socket in that manner. And it is not known if all vendor products would open their sockets with keep alives. So maybe the system level tcp keepalives could be changed to 30 minutes instead of 2 hours. this would keep the connections connected.  the vendors would have to either support the socket open with keepalive or be willing to change the system level keepalive to 30 minutes

    All this is assuming that the firewalls will pass the keepalive packets. I say this because the timeout on the firewall to to stop data and tcp keeplaive would not allow the firwall to do so, defeating that firewall, so whats the purpose of this firewall option?

    3rd. aplication level keepalive messages – works well, meets the requirements of the firewall. Cloverleaf is easily set up to handle inbound, scheduled resends can do the outbound. requires vendor coding to support. Unkown what it would require of each vendor.

    4th multiserver – see discussion at top – has its own set of problems

    comments are solicited on opinions of each method, adtvantages/drawbacks of each for both cloverl

    eaf and any known vendors.