HPE Community
Switches, Hubs, and Modems
1753841 Members
8986 Online
108806 Solutions
New Discussion юеВ

TCP keep alive packets dropped by the firewall

 
SOLVED
Go to solution
Assafmil
Occasional Contributor

тАО07-04-2007 12:30 AM

тАО07-04-2007 12:30 AM

TCP keep alive packets dropped by the firewall

Hi,



We have started using the TCP keep alive mechanism.

Things are ok when the firewall is down.

When the firewall is active, the TCP keep alive packets are dropped by the firewall.

How can I configure the firewall to let the packets through?

The TCP ports change with each session so I can't simply open a port.



Thanks,
0 Kudos
6 REPLIES 6
OLARU Dan
Trusted Contributor

тАО07-04-2007 12:54 AM

тАО07-04-2007 12:54 AM

Re: TCP keep alive packets dropped by the firewall

If you are using Cisco PIX as a firewall [congratulations, it has never been broken in an attack], you could look at the options offered by the "fixup" CLI command.

You should "fixup" the protocol you need the firewall to let in from lower security interface to higher security interface.

Se Cisco manuals, which in my opinion are clear enough.

If you're using Checkpoint or other, see what "fixup" does for Cisco, then look for corresponding equivalent instruction in the device's manuals.
OLARU Dan
Trusted Contributor

тАО07-04-2007 12:58 AM

тАО07-04-2007 12:58 AM

Re: TCP keep alive packets dropped by the firewall

You probabily use Checkpoit :-)
0 Kudos
Assafmil
Occasional Contributor

тАО07-04-2007 02:11 AM

тАО07-04-2007 02:11 AM

Re: TCP keep alive packets dropped by the firewall

I can simulate it in my office with a standard simple windows firewall.
The field setup is using a cisco product.
Can you refer me to some document with the fixup CLI command you are talking about.

thanks!
0 Kudos
OLARU Dan
Trusted Contributor

тАО07-04-2007 08:05 PM

тАО07-04-2007 08:05 PM

Solution

Re: TCP keep alive packets dropped by the firewall

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/fixup.html
OLARU Dan
Trusted Contributor

тАО07-05-2007 06:13 PM

тАО07-05-2007 06:13 PM

Re: TCP keep alive packets dropped by the firewall

Are you trying to setup/use a Site-to-Site IPSec VPN? Or maybe a Client-to-Site IPSec VPN using some Cisco VPN client software?

In the first case is better to use a VPN machine at the other end of the channel that is of the same make/model and has the same firmware version as used at your end. The IPSec VPN configuration settings on the participating machines should be made symmetrical, one config on one of the machine mirroring the config on the other machine - this requires the SAME firmware version, and implicitly the SAME make/model.
Assafmil
Occasional Contributor

тАО07-05-2007 09:03 PM

тАО07-05-2007 09:03 PM

Re: TCP keep alive packets dropped by the firewall

Hi Dan,

I have no access or knowledge regarding the specific equipment which is used in the field (we are only a part of this project).
I just wanted to know if there is something simple that can be done to solve this problem because it can be easily simulated with a simple windows firewall.

Thanks for all your help and good will.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.