This is a known issue within Legato, and is documented as an RFE - LGTpa33177.
There is a workaround in the way of a script that one of their SE's wrote up,
and there are plans to create a permanent solution in a future version (post
7.0). The script can be obtained from Tech Support.
RM
At 06:32 PM 8/22/02 -0700, Ragu Nandan wrote:
My environment is Checkpoint 4.1 SP4, Legato 6.1.1.
Issue for more than 8 months. We have Tech Support
with ISS (Checkpoint) and Legato. ISS simulated the
same enviro as ours. Below is their feedback. IMHO,
only workarounds from Checkpoint side will work
nothing else. I don't like changing the default
behaviour of Checkpoint. Opening another can of
worms..
HTH
Ragu
-------------------------------------------------------
When Legato begins a backup process, either scheduled
or manual, it begins by establishing a connection by
performing a proper "tcp hand shake" beginning with a
"syn" from the client/server, followed by an "syn ack"
from the remote client/server, and then followed by an
"ack" from the originating client/server. The
connection is now "established", and the backup
begins. What we have found is that whenever the
backup process is stalled or halted for any length of
time, that when the backup process starts up again,
the client/server starts transmitting with "ack"
packets (which is normal), but on a different
"connection ID". This new connection ID is seen by
the CheckPoint Firewall-1 ver 4.1 firewall as a "new
connection", but doesn't follow a proper "tcp hand
shake", which the firewall sees as being invalid.
This invokes the firewalls feature of dropping the
packets on rule 0 stating the error message "unknown
established tcp packet". Here is why ver 4.1 and NG
does this, but ver 4.0 does not. In version 4.1, and
now NG, only "syn" packets are applied to the rule
base. The following "syn ack", and "ack" packets are
considered part of the original connection, and are
then considered state full. When the legato software
starts sending "ack" packets as part of (what
CheckPoint considers) a "new connection", it must
establish a new "tcp hand shake", or CheckPoint will
not re-apply the packets to the rule base. Through my
tests, I have found that when the legato client/server
is not under any load, the backup functions without
issue, but once practically any load on the device
begins, the backup process stalls or pauses as
mentioned above. This could be due to the following
(higher priority services taking up processor or
memory, network traffic load, etc..). This was
thoroughly tested in a structured lab environment.
The only way to get the backup process to work
efficiently is to disable the new packet handling
capabilities of CheckPoint Firewall-1 ver 4.1, which
increases load, and degrades performance of the
firewall itself. This is the current work around for
the issue, however it is not "resolved". All future
releases of CheckPoint Firewall-1 will have this type
of packet handling feature. It is essential that
Legato find and resolve this issue in future releases.
There are currently many companies who are using
legato for their backups, however without being able
to run it properly through a CheckPoint firewall, it
could be the deciding factor for many other companies
who find it to be lacking for their implementations.
If you have any additional questions or concerns,
please let me know.
---------------------------------
Do You Yahoo!?
--
Note: To sign off this list, send a "signoff" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
Yahoo! Finance - Get real-time stock quotes
|
