ContactSupportNewsBlog
Left Menu CurveCustomersDivider LineProductsDivider LineSolutionsDivider LineServicesDivider LineResourcesDivider LineNewsDivider LinePartnersDivider LineCompanyRight Menu Curve
NetQoS / Resource Room / Technical Articles
 
Articles
 

Firewall Trouble: Dropped Sessions versus High Latency
Bill Alderson, Technology Consulting Officer, NetQoS, Inc.

We have seen an alarming number of firewalls that maintain state information for only 5 minutes of inactivity and then lose important connections to systems across firewalls. We have also seen firewalls that maintain state information for so long (up to 1 hour or more) that latency through the firewall becomes so high that performance suffers.

What is happening? Why do some firewalls keep state information for long periods and others for only a few minutes?

If your web server accesses your database server across a firewall and is inactive for 5 minutes, the firewall drops the connection. The web server must start a new connection or your application fails intermittently after 5 minutes of inactivity.

To combat this problem, security folks simply increase the timeout from a default of 5 minutes of holding state information to something higher. After they do this, the number of sessions in the state cache is so high that lookups delay packets through the firewall.

Here is the scoop. TCP sessions use a 2-hour keep-alive-by-RFC default. For every 2 hours of no activity, a TCP session sends a TCP-ACK and the other side replies with an ACK to keep the session open between them. Because firewalls have a short period of state information, sessions drop well before the 2 hour keep-alive occurs.

To fix problems of high latency through the firewall and dropped connections between inactive TCP sessions, do the following: Recommend that your desktops change their TCP keep-alive value from 2 hours to 3 minutes. Great solution, right? All you have to do is touch all your end stations. Wrong! The solution is to change the TCP keep-alive only on the server. This way You have to change only your servers and not your end stations, some of which you might not even manage if they are Internet clients.

By changing your server's TCP keep-alive, the sessions initiates an ACK...ACK exchange that keeps the state alive for however long the session is connected. You can then lower the time you maintain the state cache to something more reasonable to reduce firewall latency.
 
 
resource room ::

Whitepapers
Case Studies
Datasheets
Webinars
bulletPodcasts
Industry Initiatives
bulletTechnical Articles

Do:
Print Page
Request A Demo
Refer A Friend

Send To:
Del.icio.us
 Digg
Slashdot
Reddit




sitemap :: legal :: request info :: contact us
 
     
 

NetQoS - The Industry's Fastest Growing Network Performance Management Company
© 2001-2008 NetQoS, Inc. All rights reserved.

IT Solutions:
VoIP Performance | MPLS Management | WAN Troubleshooting | Network Capacity Planning | Service Level Reporting | Network Monitoring | QoS Policy Management | WAN Optimization | ITIL and ITSM | NetFlow | Application Delivery | Bandwidth Utilization | Cisco WAAS | Cisco NetFlow | NetFlow Monitoring | Passive Network Monitoring | Packet Forensics | Cisco IP SLA Reporting | SNMP Polling | Application Performance Monitoring | Network Performance Monitoring | Network Performance Software | Network Management Software


Products:
NetQoS Performance Center - Network Monitoring | NetQoS SuperAgent - Service Level Reporting | NetQoS ReporterAnalyzer - Network Traffic Analyzer | NetQoS NetVoyant - SNMP Polling | NetQoS VoIP Monitor - VoIP Performance Monitoring | NetQoS GigaStor - Network Analysis | NetQoS Allocate - IT Cost Accounting


Resource Room:
Network Performance Monitoring Whitepapers | Network Problems | Case Studies | Data Sheets | Networking Webinars | Networking Podcasts | Industry Initiatives | The B2B Lead | Network Performance Daily Blog | Network Management News | Network Performance Management Articles


Services:
NetQoS Product Implementation | NetAnalyst Training | Network Consulting Services | VoIP Readiness | Network Certification Training