Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Networker] Backup through a firewall? (feedback from ISS)

2002-08-23 15:40:53
Subject: Re: [Networker] Backup through a firewall? (feedback from ISS)
From: Ragu Nandan <ragus1edify AT YAHOO DOT COM>
To: NETWORKER AT LISTMAIL.TEMPLE DOT EDU
Date: Fri, 23 Aug 2002 12:38:53 -0700 
Rich
     Thx for your reply. If this is the case, I don't
understand why Legato Tech Support and their
higher-ups admit it as an issue and release this patch
for us. They have consistently denied the existence of
such a problem and a patch for this. When I gave the
patch number (I don't recall whether it was the same
number as this one) as well, they say they don't
believe in Message Board stuff. Pretty frustrating.
Ragu

--- Rich <rm11232000 AT yahoo DOT com> wrote:
>
> This is a known issue within Legato, and is
> documented as an RFE - LGTpa33177.  There is a
> workaround in the way of a script that one of their
> SE's wrote up, and there are plans to create a
> permanent solution in a future version (post 7.0).
> The script is documented in the RFE, and should be
> able to be obtained from Tech Support.
>
> RM
>
> At 06:32 PM 8/22/02 -0700, Ragu Nandan wrote:
>
> My environment is Checkpoint 4.1  SP4, Legato 6.1.1.
> Issue for more than 8 months. We have Tech Support
> with ISS (Checkpoint) and Legato. ISS simulated the
> same enviro as ours. Below is their feedback. IMHO,
> only workarounds from Checkpoint side will work
> nothing else. I don't like changing the default
> behaviour of Checkpoint. Opening another can of
> worms..
> HTH
> Ragu
>
-------------------------------------------------------
> When Legato begins a backup process, either
> scheduled
> or manual, it begins by establishing a connection by
> performing a proper "tcp hand shake" beginning with
> a
> "syn" from the client/server, followed by an "syn
> ack"
> from the remote client/server, and then followed by
> an
> "ack" from the originating client/server.  The
> connection is now "established", and the backup
> begins.  What we have found is that whenever the
> backup process is stalled or halted for any length
> of
> time, that when the backup process starts up again,
> the client/server starts transmitting with "ack"
> packets (which is normal), but on a different
> "connection ID".  This new connection ID is seen by
> the CheckPoint Firewall-1 ver 4.1 firewall as a "new
> connection", but doesn't follow a proper "tcp hand
> shake", which the firewall sees as being invalid.
> This invokes the firewalls feature of dropping the
> packets on rule 0 stating the error message "unknown
> established tcp packet".  Here is why ver 4.1 and NG
> does this, but ver 4.0 does not.  In version 4.1,
> and
> now NG, only "syn" packets are applied to the rule
> base.  The following "syn ack", and "ack" packets
> are
> considered part of the original connection, and are
> then considered state full.  When the legato
> software
> starts sending "ack" packets as part of (what
> CheckPoint considers) a "new connection", it must
> establish a new "tcp hand shake", or CheckPoint will
> not re-apply the packets to the rule base.  Through
> my
> tests, I have found that when the legato
> client/server
> is not under any load, the backup functions without
> issue, but once practically any load on the device
> begins, the backup process stalls or pauses as
> mentioned above.  This could be due to the following
> (higher priority services taking up processor or
> memory, network traffic load, etc..).  This was
> thoroughly tested in a structured lab environment.
> The only way to get the backup process to work
> efficiently is to disable the new packet handling
> capabilities of CheckPoint Firewall-1 ver 4.1, which
> increases load, and degrades performance of the
> firewall itself.  This is the current work around
> for
> the issue, however it is not "resolved".  All future
> releases of CheckPoint Firewall-1 will have this
> type
> of packet handling feature.  It is essential that
> Legato find and resolve this issue in future
> releases.
>  There are currently many companies who are using
> legato for their backups, however without being able
> to run it properly through a CheckPoint firewall, it
> could be the deciding factor for many other
> companies
> who find it to be lacking for their implementations.
> If you have any additional questions or concerns,
> please let me know.
>
>
>
> ---------------------------------
> Do You Yahoo!?
> Yahoo! Finance - Get real-time stock quotes


__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

--
Note: To sign off this list, send a "signoff" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Networker] Moving NetWorker from SUN to HP, Faidherbe, Thierry
Next by Date:  Re: [Networker] Backup through a firewall? (feedback from ISS), Rich
Previous by Thread:  [Networker] Suppressed Reports in 6.1, James White II
Next by Thread:  Re: [Networker] Backup through a firewall? (feedback from ISS), Rich
Indexes:  [Date] [Thread] [Top] [All Lists]