Network applications accessed using SSL Network Extender have been found to fail after one of
their TCP connections has been left idle for more than one hour. You determine that you must
enable sending reset (RST) packets upon TCP time-out expiration. Where is it necessary to
change the setting?
A.
$FWDIR/conf/objects_5_0.C
B.
$FWDIR/conf/objects.C
C.
$WEBISDIR/conf/cpadmin.elg
D.
$CVPNDIR/conf/cvpnd.C
Explanation:
Symptoms
Network applications accessed using SNX hang or crash after one of their TCP connections has been left idle for more than an hour.
Cause
For some applications, connections may stay idle for a long time, and when the communication is resumed after a connection timeout, reset (RST) packets are sent from Connectra to the client and the server.
When not receiving the RST packet, applications may hang or behave unexpectedly. Connectra records all TCP connections with a certain timeout. The default timeout is one hour. When this timeout is reached, the connection is deleted from the connections table.
By default, Connectra does not send a RST packet upon TCP connection expiration.
Solution
Follow the instructions below in order to enable sending reset (RST) packets upon TCP timeout expiration:
Login to Connectra’s expert shell (in case of a cluster setup, login to the active administration member).
Type the cpstop command.
Edit the $FWDIR/conf/objects_5_0.C file.
Find the property named fw_rst_expired_conn, and change its value to true.
Save the edited file.
Type the cpstart command.
Login to the administration portal and install the policy.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails&solutionid=sk31904