[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sidewinder
Subject:    RE: [Sidewinder] Upgrade from 5.1.1 Platinum to 5.2.1.0.6 ...
From:       sidewinder-admin () adeptech ! com
Date:       2003-01-28 21:45:44
[Download RAW message or body]

Charles,
	yesterday appear patch 5.2.1.07 that fix some https issues:
- Corrects the idle timeout for HTTPS proxy.
- Significantly reduces the occurrence of the gsslp proxy leaving file
descriptors open on a getpeername session failure.
- Enhances gsslp proxy performance.
	You could try with the default "intelligent" https proxy (gsslp) and
its new fixes.
	Please tell me how and when you solve your problem.

Greetings from Chile ...
                    Fernando Allendes Fernández
Ingeniero de Seguridad de Redes / Network Security Engineer
    mailto:fallendes@NOSPAMatichile.com       http://www.atichile.com
          La Concepción 177, Providencia, Santiago, Chile.
       Teléfono: (56) 2 550 58 00  - Fax: (56) 2 555 48 15


-----Mensaje original-----
De: sidewinder-admin@adeptech.com [mailto:sidewinder-admin@adeptech.com]
Enviado el: Miércoles, 22 de Enero de 2003 19:08
Para: 'sidewinder@adeptech.com'
Asunto: RE: [Sidewinder] Upgrade from 5.1.1 Platinum to 5.2.1.0.6 ...


have you double checked to make sure the traffic isnt being passed using an
ipfilter because sidewinder uses the ipfilter database against traffic
before the acl database, take a look at your audit.raw it should tell you
what acl the traffic is using to come in on, hope this helps


-----Original Message-----
From: sidewinder-admin@adeptech.com
[mailto:sidewinder-admin@adeptech.com]
Sent: Thursday, January 23, 2003 2:03 AM
To: 'sidewinder@adeptech.com'
Subject: RE: [Sidewinder] Upgrade from 5.1.1 Platinum to 5.2.1.0.6 ...


I'm going to show this to support as well, it looks as though the external
burb is not using the proxies???  I'm not sure how that could be possible,
since data is flowing in from the outside through those proxies right now?
Unless I'm reading this wrong, which is entirely possible.

NSS.COMMON.CONF

t_proxy_controls(httpp on /var/run/proxy/httpp/httpp.pid 
 /var/run/proxy/httpp/sox /usr/libexec/httpp htpp max_fd[16384] max_mem[] 
 run_level[] args[] failure_mode[off] maxconns[] connsperinstance[])

t_proxy_controls(httpsp off /var/run/proxy/httpsp/httpsp.pid 
 /var/run/proxy/httpsp/sox /usr/libexec/gsslp Htps max_fd[16384] max_mem[] 
 run_level[] args[-f /etc/sidewinder/proxy/httpsp.conf -a httpsp]
 failure_mode[off] maxconns[] connsperinstance[])

t_proxy_controls(HTTPSp on /var/run/proxy/HTTPSp/HTTPSp.pid
/var/run/proxy/HTTPSp/sox /usr/libexec/tcpgsp Genx max_fd[16384] max_mem[]
run_level[] args[-f /etc/sidewinder/proxy/HTTPSp.conf] failure_mode[off]
maxconns[] connsperinstance[])

NSS.CONF.EXTERNAL

t_proxy(http 0 0 off stream tcp httpp ip_addresses[] ports[])

t_proxy(https 0 0 off stream tcp httpsp ip_addresses[] ports[])

NSS.CONF.INTERNAL

t_proxy(http 0 0 on stream tcp httpp ip_addresses[] ports[80])

t_proxy(https 0 0 off stream tcp httpsp ip_addresses[] ports[444])

t_proxy(HTTPS 443 443 on stream tcp HTTPSp ip_addresses[] ports[])

-----Original Message-----
From: sidewinder-admin@adeptech.com
[mailto:sidewinder-admin@adeptech.com]
Sent: Monday, January 20, 2003 7:35 PM
To: sidewinder@adeptech.com
Subject: RE: [Sidewinder] Upgrade from 5.1.1 Platinum to 5.2.1.0.6 ...


Can you post the http and https both orig and generic lines from burb(s)
they're running in?  Part of the upgrade somewhere between 5.1.1 plat and
5.2.1 you have to add an entry to all the nss.confs for http, https, ftp.
And 2 other proxies...can't recall off the top of my head, tho

-----Original Message-----
To: "'sidewinder@adeptech.com'" <sidewinder@adeptech.com>
From: sidewinder-admin@adeptech.com
Subject: RE: [Sidewinder] Upgrade from 5.1.1 Platinum to 5.2.1.0.6 ...
Date: Mon, 20 Jan 2003 13:31:16 -0600

I'm looking at the nss.common.conf, but I don't see where you define the
ports exactly in that file.  I thought that file referenced the proxy file
for each proxy, which is where the ports are defined?  I don't believe the
system is over utilized, it never goes over 2% utilization, and is for
external facing customers only.  It could be the F5's, but it is curious
that rebooting the firewall is what is fixing the problem, and not rebooting
the f5's.  All other traffic flows through the F5's in a "passthrough" mode,
so the F5's are still passing traffic.

-----Original Message-----
From: sidewinder-admin@adeptech.com
[mailto:sidewinder-admin@adeptech.com]
Sent: Monday, January 20, 2003 12:20 PM
To: sidewinder@adeptech.com
Subject: RE: [Sidewinder] Upgrade from 5.1.1 Platinum to 5.2.1.0.6 ...


Probably not any of these, but just to be sure: did you add all the ports
entries into nss.conf  files? Is your system highly utilized and running out
of source ports? (though should have happened before one would think); is it
the f5's rathes than the sidewinders?

-----Original Message-----
To: "Sidewinder maillist (E-mail)" <sidewinder@adeptech.com>
From: sidewinder-admin@adeptech.com
Subject: [Sidewinder] Upgrade from 5.1.1 Platinum to 5.2.1.0.6 ...
Date: Mon, 20 Jan 2003 10:45:56 -0600

Greetings everyone,
I have recently upgraded one of my 5.11 platinum sidewinders to the latest
version 5.2.1.0.6.  The upgrade went smoothly with no errors, but I am
having a problem.  My firewall stops accepting connections for http and
https periodically right now.  I have a support case open (84603), but so
far with my audit.raw, and some tcpdumps etc, they can't find anything.
This firewall sits on the outside of an "air gap" dmz, with an F5 Bigip load
balancer between it and the dmz servers.  I am still able to telnet and
connect with the gui to the firewall when it stops accepting http and https
connections, so it isn't shutting down the interfaces completely, just those
two proxies.  An nss restart fixes the problem for a couple of minutes, but
I usually end up rebooting to resolve the issue.  This is the second time I
have tried to upgrade this firewall, and the second time I have had problems
of this type. If anyone has any ideas, I am open to suggestions, Secure is
helping as much as they possibly can, but so far haven't come up with
anything other than some of the connections out to internet addresses are
being reset, but we can't figure out why.  Ideas are welcome.

Charles D. Schuppan
Network Services
Lead Network Analyst
mailto:charles.schuppan@ecolab.com
Phone: 2724
Cell:  651-775-8230

_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder


_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder


_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic