SSL VPN connections dropping through CheckPoint firewall

[cnormand]

I have searched through CheckPoint's knowledge base and can't find anything pertaining to a problem we're experiencing, and I also read through old posts here and don't see anything so....

We are running CheckPoint NG fp 3 on a Nokia IP650. We have a large number of contrators on site that connect to their corporate network via an SSL VPN solution. The firewall rule is built (and has been for a year) and works fine. However, every single day at least 2 or 3 times, every contractor looses their connection at the same time. They have persued the problem with their company but it appears that only this site is loosing the connection.

We were thinking maybe the connections table on the firewall is getting full and dropping the oldest sessions (we use the default of 25000)? Does anyone have any advise or experience with this? (or debugging?...this is kind of an inherited firewall...I'm more of a Cisco expert!!

Thank you in advance for any information!!

Chris

 

[Birmingham]

Its nothing obvious like happening when you do a policy push...or i think if an interface loses a connection ( eg it doesnt terminate in a hub and someone pulls the cable out at the other end ) there is the following setting in ipso under checkpoint firewall 1 settings in voyager:

Run ifwd daemon to monitor interface changes? on off

ifwd monitors changes to interfaces, and signals FireWall-1 to reinstall interfaces if there have been changes. This allows dynamic creation of RFC 1483 interfaces without manually restarting FireWall-1, and allows anti-spoofing to work across hot-plugging of interfaces. It can have a negative effect on High Availability, in that one firewall system going down can cause the other to reinstall interfaces, breaking some connections that would otherwise survive the failure.