Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

TCP keep alive packets dropped by the firewall

SOLVED
Go to solution
Assafmil
Occasional Contributor

TCP keep alive packets dropped by the firewall

Hi,



We have started using the TCP keep alive mechanism.

Things are ok when the firewall is down.

When the firewall is active, the TCP keep alive packets are dropped by the firewall.

How can I configure the firewall to let the packets through?

The TCP ports change with each session so I can't simply open a port.



Thanks,
6 REPLIES
OLARU Dan
Trusted Contributor

Re: TCP keep alive packets dropped by the firewall

If you are using Cisco PIX as a firewall [congratulations, it has never been broken in an attack], you could look at the options offered by the "fixup" CLI command.

You should "fixup" the protocol you need the firewall to let in from lower security interface to higher security interface.

Se Cisco manuals, which in my opinion are clear enough.

If you're using Checkpoint or other, see what "fixup" does for Cisco, then look for corresponding equivalent instruction in the device's manuals.
OLARU Dan
Trusted Contributor

Re: TCP keep alive packets dropped by the firewall

You probabily use Checkpoit :-)
Assafmil
Occasional Contributor

Re: TCP keep alive packets dropped by the firewall

I can simulate it in my office with a standard simple windows firewall.
The field setup is using a cisco product.
Can you refer me to some document with the fixup CLI command you are talking about.

thanks!
OLARU Dan
Trusted Contributor
Solution

Re: TCP keep alive packets dropped by the firewall

OLARU Dan
Trusted Contributor

Re: TCP keep alive packets dropped by the firewall

Are you trying to setup/use a Site-to-Site IPSec VPN? Or maybe a Client-to-Site IPSec VPN using some Cisco VPN client software?

In the first case is better to use a VPN machine at the other end of the channel that is of the same make/model and has the same firmware version as used at your end. The IPSec VPN configuration settings on the participating machines should be made symmetrical, one config on one of the machine mirroring the config on the other machine - this requires the SAME firmware version, and implicitly the SAME make/model.
Assafmil
Occasional Contributor

Re: TCP keep alive packets dropped by the firewall

Hi Dan,

I have no access or knowledge regarding the specific equipment which is used in the field (we are only a part of this project).
I just wanted to know if there is something simple that can be done to solve this problem because it can be easily simulated with a simple windows firewall.

Thanks for all your help and good will.