Installing Policy-Does it drop existing connections?

[matthewjones@comcast.net]

If I push a new policy to my Nokia IP380 - Do all active connections get dropped? My boss seems to think they do - I do not believe they do.
I can't seem to find a simple answer on this.

Thanks in advance for the assist.

MAJ

[chillyjim]

In most cases by default the connections should not drop unless a new rule says to drop that connection.

[phlegm]

Why not try a test. Dial up and get a VPN in from the outside and start up an FTP or something from the inside. Push out a policy and see if they stay connected. I know at our site they maintain their connections even if we fail over to the backup firewall.

[andrew]

In my experience --- yes and no.

When pushing policy there is always a 'lull' in the traffic. Connections that can survive the lull stay up, those that cannot, don't.

For example, we have a telecommuter with VoIP and Instant Messaging over VPN. I can push policy while on the phone with this person, and the line goes quiet for a couple of seconds, and then we're back on, however the IM session is dumped and he must reconnect.

FTP over VPN dumps during a policy push, too. PCAnywhere over VPN, no.

Go through and test connections in your environment during policy push, determine what survives and what doesn't, and then you'll know what to expect when you make changes during the middle of the day.

[angelo]

Look under:

Gateway Properties --> Advanced --> Connection Persistence.

[RobertGraham]

Andrew is right, the push affects different applications in various ways depending upon a couple variables:

• Traffic load
• Sensitivity of the service (VoIP vs. HTTP)
• Luck

I include luck because you'll push the policy 50 times and everything will be ok, and on the 51st time you'll completely trash the state table and people will be disconnected. They can reconnect immediately, but for the poor folks in customer service entering in line 50 on a complicated order in the ERP system it can be a maddening experience.

[mcnallym]

Within each service there is a tick box

Keep Connections open after policy has been installed.

By default this is not ticked

What it does is actually empty the state table causing the connections to rebuild the state table as they go through. It doesn't drop the connection as such, however as other people have said not all applications will handle the lull increating a new entry.

You could tick this for services that you need to survive the policy install as it would not empty that service from the connection table.

[chillyjim]

From the help file

Keep connections open after policy has been installed even if they are not allowed under the new policy. This overrides the settings in the Connection Persistence page. If you change this property, the change will not affect open connections, but only future connections.