I have R65 installed on Solaris 9, on Sun4u. It's currently running into an issue where during long connections (I think. It doesn't appear to do this to all connections, and I can't work out what the difference between those affected and those not is) it stops allowing traffic after a certain period of time. No traffic is logged as being dropped. When I use fw monitor -p All, I can see the traffic reaching stage five outbound (fw VM outbound) and getting no further. The start of the connection sets up properly however, and I can see the connection logged as passed in Smart Tracker. fw ctl debug doesn't seem to point me to anything useful, nor does fw debug fwd. Is there anything obvious I'm missing that could be causing this?
Found it. It appears that checkpoint maintains an MTU separately to the OS, and packets which breach this are silently dropped. This explains why nothing was being logged in smart tracker, and why things were being dropped after stage five (they were failing to pass Wire VM outbound). This can be changed with
If you do change this, you'll need to update the settings to have it reapplied on reboot. These are set in $FWDIR/conf/modules/fwkern.conf, with
(Thanks to those on freenode who explained this to me)
Are the affected connections idle or is there traffic passing between them when the problem occurrs? Most firewalls have an idle session time out function for connections that are not passing traffic. This helps the firewall recover resources from the idle connections such as memory, CPU, state table entries, etc.