It almost sounds like you have a circuit issues, do you have anything else in-path between Steelheads other than the VPN Routers? Like IPS or Proxy devices? What kinda of Firewall are you running?

Checkpoint firewalls drop packets preventing optimization

Software Versions: All

Problem
Steelheads can't optimize HTTP traffic.

The link between the two offices is a VPN tunnel configured on two Checkpoint firewalls.

The traces show established inner channels between the Steelhead appliance.

Traffic is going through the right interface on Steelhead, but passed through.

Fixed-target and auto-discover make no difference.

The following log messages appear:



Jun 26 17:46:37 riverbed1 sport: - {- -} (clnt: 192.168.66.249:3153 peer: 10.106.0.19:7800 serv: 10.106.128.70:8008) Error reading connect result: Connection timed out

Jun 26 17:46:47 riverbed1 sport: - {- -} (clnt: 192.168.66.249:3154 peer: 10.106.0.19:7800 serv: 10.106.128.70:8008) Error reading connect result: Connection timed out


Cause
CheckPoint firewall 4.1 silently drops packets from the Steelhead inner channels. Although we see the options in the TCP headers, the CheckPoint firewall 4.1 thinks the inner channel connections (multiple connections by connection pooling) are a TCP flood attack.

CheckPoint running NG does not drop packets.

Solution
Change the connection pooling setting to 0 on the Steelhead appliance.

To change this setting through the Management Console:

Click the Setup tab to expand the Optimization Service menu.
Click Connection Pooling to display the Optimization Service - Connection Pooling page.
Under Connection Pooling Size, type 0 in the connection pooling size in the Maximum Connection Pooling Size text box.
Click Apply to apply your settings to the running configuration.
Click Save to save your settings permanently.

Hi,


Sorry they are running version 4.1.0d, not 4.0.1 typo error!, they are running 2003 version of outlook, the majority of data going across the link is over night for data back up. They do transfer data across during the day, and the connections are being optomizied, however every 8-10 miniutes they are locked out of Outlook. I have found out that the appliances are not NTP sync'd, could this cause the problem? There is also this error message appearing in the log file Dec 13 10:28:56 Ashtead-RB sport: 5452 {xxx.xxx.xx.131:1219 xxx.xx.x.xx:7830} Warning: Inner channel down prematurely, peer probably down; requesting shutdown. I have been asked to get traces from the LAN and WAN interfaces of the applainces, what else can I do in the meantime?




Thanks

Rich,

I would recommend that you get those boxes up to 4.0.4F. There have been numerous MAPI Fixes since 4.0.1d. What version of Exchange and Outlook is the client using?

Also what does the traffic summary report look like? And what kinda of data are they transferring accross the connection? I would also check the Interface Statics on the Report page to make sure that the LAN and WAN interfaces are negotated correctly.