Leave a Comment:
11 comments
Hi ,
I am trying to understand this parameter.The parameter specifies how long the connection between a WebGate and an Access Server can last.
Is this Time parameter for every user makes a request to protected resource ? Like suppose if a 100 users make a request to resource ( protected ) , then 100 connection will be opened by the webgate to access server and that 100 connections will be open for 24 Hours.
Then what does this parameter signifies ?
Reply Or It is something different connection mechanism b/w webgate and Access gate
Reply
What is the difference between Maximum Client Session Time in Access Gate Configuration and Access Server Configuration.
Do we need to change both side?
If 1 hour is recommended, why the default setting is 24 hours?
What will happen if firewall drop the session? I’m facing problem like this, firewall drop the session, but that session will still be ESTABLISHED in Access Server (by netstat -a command). So then the number of sessions increased in Access Server and the system will be down. Amazingly, it will automatically recovered in the afternoon like nothing happen before (number of sessions will be back to normal).
Reply
Hi Haris,
Max client session time in AccessGate defines the connection time between AG and AS if there is a firewall between them. I am not sure if there is a prominance for similar param in AS configuration.
It need not be 1 hr, but it should be the actual firewall timeout.
If firewall drops the ESTABLISHED connections then those connections that are lasting for 1 hr (param setting) will be dropped and new connections will be established from AG/WG.
Hope this helps.
Thanks
Mahendra.
Hi Mahendra,
Thanks a lot for your answer.
yesterday I tried to implement as your explanation: create user-defined parameter for maxSessionTimeUnits in minutes, and change the value of Maximum Session to 50.
Session time in Firewall is 3600sec.
But this morning I check, it seems not working as still so many connections dropped.
In OAM Server, there are zombie connections (netstat) those are dropped by firewall.
I wonder if this user-defined parameter will work on OAM 10.1.4.3.
Reply Hi,
Connections will close automatically before firewall timeout. Is this not happening?
If not, when do you notice connections dropping?
HTH
-Mahendra
Reply Nope, even after 50 minutes, by netstat I can still see the connection still established in Webgate.
And then after more than 1 hour, firewall drop it (I see in firewall log).
The problem is, even the connection was dropped and doesn’t exist anymore in Webgate, it will create zombie in OAM server. Day by day, they will increased and make OAM hangs.
What should I check first?
Now I’m trying to increase firewall session to 24hours (Access Gate Max Session is still 50 minutes) to prevent firewall drop the connection.
Reply Sorry, I need to add this info:
In our system, there are 16 webgates and 2 OAM server.
Everytime I restart OAM, number of connection to port 8888 (OAM) is ~160.
But 3-4 days after restart, number of connections will become >1000, and OAM will hang and restarted automatically after several hours hang.
Firewall dropping connections is unusual. You can also check the initial connections and max connections in webgate definition. Make sure to have reasonable value for these params.
For firewall drops, you can test this. Remove the user defined param. Specify Max Session time as 1 hr or 60 mins and increase firewall timeout to 70 mins. This will tell you if user defined param is causing the issue.
-M
Reply Mahendra,
You are correct!
I’ve tried to change the Max Session Time as 1 hr and increase firewall timeout to 70 min.
It works now, I can see in firewall log, there are 10 new connections created every hour and number of connections in OAM is stable (also 10).
In this case, maxSessionTimeUnits is not working at OAM 10.1.4.3.
However, it happened only on our Checkpoint UTM-1 (firmware R75.20) but not on our Checkpoint IP 295, 395, 2455 (firmware R75.40).
Thanks for your helps.