000013896 - XUDATIMEOUT and Checkpoint firewall issue

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013896
Applies ToRSA Certificate Manager 6.7
RSA Registration Manager 6.7
Microsoft Windows Server 2003 SP2
Cisco Pix Firewall
Checkpoint firewall
IssueXUDATIMEOUT and Checkpoint firewall issue

firewall changed from Cisco Pix to Checkpoint and we have been seeing a lot of slowness when loading up the RA Administration pages


The RM pages are extremely slow to load the first time. Firewall seeing packet out of sync errors. The pages are loading normally (10-20 seconds) after the first login. If the application is logging then there is no delay... however after an extended period of time, say over night the pages are extremely slow to load.

Example
*******************************************

Information: TCP packet out of state: First packet isn't SYN

tcp_flags: PUSH-ACK

SmartDefense Profile: Default_Protection

Information: TCP packet out of state: First packet isn't SYN

tcp_flags: PUSH-ACK

SmartDefense Profile: Default_Protection


Timeout set in xudad.conf:

XUDATIMEOUT 305

Cause

firewall timeout set at 1 hour and ports (t17636 and t18636) are set to 5 hours.

Resolution

disabled the time out at the firewall i.e. made it to time out at 24 hrs and have observed that the slowness is not there.

Workaroundfirewall changed from Cisco Pix to Checkpoint
Legacy Article IDa46986

Attachments

    Outcomes