000025200 - Connection leak with Check Point Firewall installed between RSA Keon Certificate Authority and Web Sentry

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025200
Applies ToKeon Certificate Authority 6.5.1
Sun Solaris 2.8
Keon Web Sentry 6.0.3
Keon Web Sentry 6.0.4
iPlanet 4.1 Web Server SP9
Check Point Firewall
IssueConnection leak with Check Point Firewall installed between RSA Keon Certificate Authority and Web Sentry
There are too many Web Sentry connections in the TIME-WAIT state at a given time on the KCA. TIME-WAIT state is legitimate state before a TCP connection is closed down. On Solaris, by default, all TCP connection will wait 4 minutes at this state before closing. If there are too many Web Sentry connections established and closed during a 4-minute period, it is likely to run out of file descriptors.
CauseIf a connection is kept idle longer than Check Point's TCP timeout, the connection is dropped by Check Point without notifying KCA, and the KCA side of the connection will never be closed. This is a common issue experienced where a firewall is situated between a server and client.
ResolutionRSA Security Engineering has created a keep alive feature for Web Sentry to prevent the connection to KCA going idle and being dropped by your firewall. For details of this fix, please contact RSA Security Customer Support and reference BZ 3868.
NotesVDC BZ 3868
BZ 32473
Legacy Article IDa25621

Attachments

    Outcomes