[pnetcr]

Have trawled through this forum and there's lots on the above but I still cant see a solution to my issue

NGX R60 / IP390 / NOKIA IPSO Clustering (Forwarding mode)

3rd party using FW1_clntauth_http (900) to Cluster object with SECURID. Cluster then passsing authentication request to internal ACE server which authenticates correctly. 3rd party is authorized to pass through firewall as appropriate client authentication rule dictates.

The problem appears to be totally randomly (all could be OK for 13 hours, 45mins, 3hours, etc) the individual firewall objects send back TCP out of state messages (First packet isnt SYN SYN-ACK & First packet isnt SYN RST-ACK) on source port 900 to the clients. This effectively de-authorizes them to use the appropriate rules they require. This affects all clients from the 3rd party at the same time and the problem seems to last a random period (25mins, 56mins, etc) before they can successfully authenticate and all is well again. What I cant understand is why the FW's does this as the 'Client Authentication Authorization Timeout' setting is set to 12 hours.

For reference there are loads of similar out of state messages on the logs for HTTP browsing. I understand the reasons for the messages (especially with clustering) but they are non problematic to the business, whereas the SECURID issue is!

I dont want to uncheck 'Drop out of state TCP packets' as this defeats the purpose of a FW.

I am not sure if this is just a 'feature' which I have to live with cause Im using clustering and some solutions like mine just aint cut out for it, however has anyone experienced something similiar before I have to start removing one of the FW's from the cluster, etc to get to the bottom of the issue.

Since migrating to NGX R60 / IP390 / NOKIA IPSO Clustering (Forwarding mode), all has been well for about the 20 services routing through the FW's apart from the above!!