NGX R61 is changing DF bit on packets from 1 to 0 - HELp

[imslickrick2k]

Hello,

Our firewall is changing the DF bit from 1 to 0 and this is causing issues with a few of our applications. There are threads that refer to Keep_DF_Flag being changed in dbedit but i've been informed this does not work in clustered environments (which we are running)

does anyone have any ideas that can help?

We're on R61 NGX

[melipla]

Out of curiosity, which applications are being affected? I haven't seen any threads about Keep_DF_Flag so I'm curious as to what you're seeing.

[cciesec2006]

I ran into this issue six months ago in my previous employment.
Basically Checkpoint has a solution for this in checkpoint sk17280.
However, this article does not address if you have cluster
environment.

I opened a TAC case with Checkpoint and after three months
of going back and forth, the solution is to manually modified
the $FWDIR/conf/objects_5_0.C file as follows:

0) cd /tmp
1 ) mdsenv customer_CMA (if you have a P-1 environment),
cd $FWDIR/conf if you have SmartCenter environment

2) mdsstop_customer customer_CMA
cpstop (if you have SmartCenter)

3) cd $FWDIR/conf

4) cp objects_5_0.C objects_5_0.C.orginal
5) cp object_5_0.C.backup object_5_0.C.backup.original
6) vi objects_5_0.C file and add "keep_DF_flag" and set it to "true"
to the cluster object name, above the property "log_consolidtor (false)"
For example, if your gateway cluster name is "gw-cluster" then
place the following line:
gw_cluster=(true)
7) save the file,
8) cd /tmp
9) perform "mdsstart_customer customer_CMA
cpstop;cpstart if you have SmartCenter,
10) push the policy,

I did this 3 months ago and it seemed to fix the problem.

Let me know if it works for you.

BTW, dbedit is another way of using vi to modify the objects_5_0.C file.

[imslickrick2k]

Quote:

Originally Posted by cciesec2006

vi objects_5_0.C file and add "keep_DF_flag" and set it to "true"
to the cluster object name, above the property "log_consolidtor (false)"
For example, if your gateway cluster name is "gw-cluster" then
place the following line:
gw_cluster=(true)

I did this 3 months ago and it seemed to fix the problem.

Let me know if it works for you.

BTW, dbedit is another way of using vi to modify the objects_5_0.C file.

Hi and thanks for your reply, we were actually considering adding this line in there until our TAC told us it wouldn't work. i then came across your reply so we're thinking of giving this a shot. I'm a little confused however in your example you put gw_cluster=(true) did you mean under the gw_cluster add Keep_DF_Flag=(true)??

thanks for your help

[cciesec2006]

Yes, that's exactly what I mean. Under the gw_cluster add
Keep_DF_Flag=(true)

[melipla]

Have you seen any improvement in performance after changing this setting?

[imslickrick2k]

changed the param in both the objects_5_0.C and objects_5_0.C.backup, verified it was there after cpstop/cpstart and a policy push

Only thing is, when i goto GUIDBEDIT i still don't see it anywhere using the search feature. I haven't actually tested it to see whether its working, but just a little curious - should i not see it in there if i've added it to the objects_5_0.c files?