We help IT Professionals succeed at work.

http 1.1 through Checkpoint firewall 1

sarji
sarji asked
on
Medium Priority
404 Views
Last Modified: 2013-11-16
Hi

I am trying to write a server and client. server is in internet not behind firewall. Client in internet behind checkpoint firewall 1.  HTTP is neabled in firewall.

client send request and server responds. I am using http 1.1 with keep alive option.

I have two checkpoints in 2 differnt locations, with one check point firewall machine the program works fine. But with second after first request response the connection channel closes. Since I am using http 1.1 keep alive,  second firewall also must work like first one. I don't know why the scond firewall behaves differently.

But second and first firewall bahves same if I put http content length greater than actual one. or if I send large packets like 3000 bytes etc.

any idea why this problem with atcual content length in one machine?

Thanks in advance

regards
sarji




Comment
Watch Question

Commented:
You are probably being effected by TCP tear down of the NAT session on the remote side.  If yo usend larger packets, the get fragmented and take longer to arrive, therefore the teardown takes longer.

"HTTP is a stateless protocol - this means that every request is independent of every other. Keep alive doesn’t change that. Additionally, there is no guarantee that the client or the server will keep the connection open. Even in 1.1, all that is promised is that you will probably get a notice that the connection is being closed. So keepalive is something you should not write your application to rely upon."

Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
geoffyn is correct. The firewall administrator at the site that does not work has it right. Since this is not normal behavior for HTTP, we typically set the firewall to not allow this.

Author

Commented:
Thanks for response.

When i said about larger packets, I meant I can send many number of request and response and this connection channel is not being closed.

And both the firewall isntalltion are same . So it should behave similar.

If I send http content length greater than the actual value it both checkpoint works. (say if content lenght is 5 and if i set content length in http packet as 6 it will work in both firewalls. If i set conet length as 5, one firewall will close the channel after that request response.)
But with http 1.1 the channel should be open.isn't it?

And remember that I am sending continous packets .

And If nagel algorithm enabled both will work well. If nagel algortihm is disabled the above case happends.

Ig I disable nagle algortihm and put a sleep between the socket send , both works well for sometime.

And also as I said earlier If I send large packets with nagle disabled, then also both firewalls behaves same.

any idea?

regards
sarji






Commented:
You need at least FW 4.0 SP5 or FW 4.1 SP1
If you are using HTTP security server (invoked by using user authentication, CVP or URL filtering), then check these in objects.C

:http_sup_continue (true) (New for 4.0 SP5 and 4.1 SP1)

Enables the HTTP Security Server to support the HTTP 1.1 CONTINUE command.

:http_avoid_keep_alive (true) (New for 4.0 SP5 and 4.1 SP1)

Forces the HTTP Security Server to ignore the "Keep Alive" directive in HTTP 1.1, needed when working with CVP servers.

:http_allow_ranges (true)

Allows the HTTP Security Server to handle downloads that occur as byte ranges, used in HTTP 1.1.

Author

Commented:
Hi

I am having checkpoint 4.1 sp1. the problem as I mentioned earlier , the same firewall works differently in 2 locations with same program. In one location it works http packets with content length equal to actual length. In location it is not.
In both cases nagel algorithm is disabled.

regards
sarji

Author

Commented:
i am increasing the point to 400. pls do aswer to the issue.

Author

Commented:
sorry to 300 as it is the limit

Commented:
Do you use user auth, CVP or URL filtering on the firewalls ?
If so, the HTTP security server is invoked and this is not truly HTTP 1.1 compatible (only official supports 1.0).

Commented:
Any joy yet ?
CERTIFIED EXPERT

Commented:
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts refunded.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
PAQed, with points refunded (300)

SpazMODic
EE Moderator

Explore More ContentExplore courses, solutions, and other research materials related to this topic.