sarji
asked on
http 1.1 through Checkpoint firewall 1
Hi
I am trying to write a server and client. server is in internet not behind firewall. Client in internet behind checkpoint firewall 1. HTTP is neabled in firewall.
client send request and server responds. I am using http 1.1 with keep alive option.
I have two checkpoints in 2 differnt locations, with one check point firewall machine the program works fine. But with second after first request response the connection channel closes. Since I am using http 1.1 keep alive, second firewall also must work like first one. I don't know why the scond firewall behaves differently.
But second and first firewall bahves same if I put http content length greater than actual one. or if I send large packets like 3000 bytes etc.
any idea why this problem with atcual content length in one machine?
Thanks in advance
regards
sarji
I am trying to write a server and client. server is in internet not behind firewall. Client in internet behind checkpoint firewall 1. HTTP is neabled in firewall.
client send request and server responds. I am using http 1.1 with keep alive option.
I have two checkpoints in 2 differnt locations, with one check point firewall machine the program works fine. But with second after first request response the connection channel closes. Since I am using http 1.1 keep alive, second firewall also must work like first one. I don't know why the scond firewall behaves differently.
But second and first firewall bahves same if I put http content length greater than actual one. or if I send large packets like 3000 bytes etc.
any idea why this problem with atcual content length in one machine?
Thanks in advance
regards
sarji
geoffyn is correct. The firewall administrator at the site that does not work has it right. Since this is not normal behavior for HTTP, we typically set the firewall to not allow this.
ASKER
Thanks for response.
When i said about larger packets, I meant I can send many number of request and response and this connection channel is not being closed.
And both the firewall isntalltion are same . So it should behave similar.
If I send http content length greater than the actual value it both checkpoint works. (say if content lenght is 5 and if i set content length in http packet as 6 it will work in both firewalls. If i set conet length as 5, one firewall will close the channel after that request response.)
But with http 1.1 the channel should be open.isn't it?
And remember that I am sending continous packets .
And If nagel algorithm enabled both will work well. If nagel algortihm is disabled the above case happends.
Ig I disable nagle algortihm and put a sleep between the socket send , both works well for sometime.
And also as I said earlier If I send large packets with nagle disabled, then also both firewalls behaves same.
any idea?
regards
sarji
When i said about larger packets, I meant I can send many number of request and response and this connection channel is not being closed.
And both the firewall isntalltion are same . So it should behave similar.
If I send http content length greater than the actual value it both checkpoint works. (say if content lenght is 5 and if i set content length in http packet as 6 it will work in both firewalls. If i set conet length as 5, one firewall will close the channel after that request response.)
But with http 1.1 the channel should be open.isn't it?
And remember that I am sending continous packets .
And If nagel algorithm enabled both will work well. If nagel algortihm is disabled the above case happends.
Ig I disable nagle algortihm and put a sleep between the socket send , both works well for sometime.
And also as I said earlier If I send large packets with nagle disabled, then also both firewalls behaves same.
any idea?
regards
sarji
You need at least FW 4.0 SP5 or FW 4.1 SP1
If you are using HTTP security server (invoked by using user authentication, CVP or URL filtering), then check these in objects.C
:http_sup_continue (true) (New for 4.0 SP5 and 4.1 SP1)
Enables the HTTP Security Server to support the HTTP 1.1 CONTINUE command.
:http_avoid_keep_alive (true) (New for 4.0 SP5 and 4.1 SP1)
Forces the HTTP Security Server to ignore the "Keep Alive" directive in HTTP 1.1, needed when working with CVP servers.
:http_allow_ranges (true)
Allows the HTTP Security Server to handle downloads that occur as byte ranges, used in HTTP 1.1.
If you are using HTTP security server (invoked by using user authentication, CVP or URL filtering), then check these in objects.C
:http_sup_continue (true) (New for 4.0 SP5 and 4.1 SP1)
Enables the HTTP Security Server to support the HTTP 1.1 CONTINUE command.
:http_avoid_keep_alive (true) (New for 4.0 SP5 and 4.1 SP1)
Forces the HTTP Security Server to ignore the "Keep Alive" directive in HTTP 1.1, needed when working with CVP servers.
:http_allow_ranges (true)
Allows the HTTP Security Server to handle downloads that occur as byte ranges, used in HTTP 1.1.
ASKER
Hi
I am having checkpoint 4.1 sp1. the problem as I mentioned earlier , the same firewall works differently in 2 locations with same program. In one location it works http packets with content length equal to actual length. In location it is not.
In both cases nagel algorithm is disabled.
regards
sarji
I am having checkpoint 4.1 sp1. the problem as I mentioned earlier , the same firewall works differently in 2 locations with same program. In one location it works http packets with content length equal to actual length. In location it is not.
In both cases nagel algorithm is disabled.
regards
sarji
ASKER
i am increasing the point to 400. pls do aswer to the issue.
ASKER
sorry to 300 as it is the limit
Do you use user auth, CVP or URL filtering on the firewalls ?
If so, the HTTP security server is invoked and this is not truly HTTP 1.1 compatible (only official supports 1.0).
If so, the HTTP security server is invoked and this is not truly HTTP 1.1 compatible (only official supports 1.0).
Any joy yet ?
Hey people,
No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts refunded.
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Zenlion420
EE Page Editor
No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts refunded.
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Zenlion420
EE Page Editor
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
"HTTP is a stateless protocol - this means that every request is independent of every other. Keep alive doesn’t change that. Additionally, there is no guarantee that the client or the server will keep the connection open. Even in 1.1, all that is promised is that you will probably get a notice that the connection is being closed. So keepalive is something you should not write your application to rely upon."