ADSM-L

Re: [ADSM-L] TSM and keepalive packets

2011-07-07 12:55:24
Subject: Re: [ADSM-L] TSM and keepalive packets
From: Thomas Denier <Thomas.Denier AT JEFFERSONHOSPITAL DOT ORG>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Thu, 7 Jul 2011 12:52:58 -0400
-----Richard Sims wrote: -----

>One approach would be to have a background Linux 'ping' command with
>a reasonable repeat interval to try to keep the connection alive
>between the two servers.

The Linux 'ping' command uses ICMP rather than TCP layered on top of
IP. There is no way an ICMP packet could affect the firewall's tracking
of activity on TCP connections.

>Another approach is to have two TSM server admin schedules running,
>30 minutes apart, to issue PING SERVER across the two.

As far as I know, a TSM server executing a PING SERVER command opens
a new TCP connection, carries out some kind of data exchange to convince
itself that the other server is still there, and closes the TCP
connection. If this understanding is correct, the PING SERVER command
does not trigger any activity on the pre-existing TCP connection that
is at risk of a firewall timeout.

>Ideally, you could have the firewall administrator disable timeouts.

There is no way it would be possible to disable timeouts completely.
This would cause the firewall's memory to fill up with state information
for TCP connections whose endpoints had long ago lost interest in the
connections. We may end up asking to have the timeout lengthened, but
we are not optimistic about getting that done. Such a request would
probably be characterized as a request to weaken security. Around here
that characterization has developed a remarkable power to shut down
the part of people's brains used for real thought about costs and
benefits.
<Prev in Thread] Current Thread [Next in Thread>