General Questions

has the telnet session been idle ?  What is the OS  ? have you enable tcp keepalive ?

when the problem happens, what does you nat table show ?

/status.php#ipnat -lv

It's the 0:11 that block the trafic
@11 block in log quick proto tcp from any to any

The allow rules is 100:7

What's the group 0 ?
My group 100 seems to be the LAN fw rules
group 200 WAN fw rules

yes the telnet is idle, the OS is windows mobile on WIFI bar code guns
(but I have many similar setup that don't have the same problem)
I'm not sure about the tcp keep alive, i'll ask the client

List of active host mappings:
*.1.101,*.17.61 -> *.96.241 (use = 2 hv = 0) => that's correct

the 0:11 seems to be linked to this :
# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all


Which makes me think of a tcp flag problem =>  wrong firewall state
then when the source port change, new firewall state => allowed.
but why ...

OS of the wifi guns :
Win CE 05.00.0000
Win CE 01.30.0000
Win CE 01.26.0001

Same problem on all.
Didn't find any tcp keep alive option, if anybody know where I can find it, don't hesitate to help

I'm still searching anything related to tcp flags, ...

see the parameter description

here http://msdn.microsoft.com/en-us/library/aa925764.aspx

and registry settings to adjust

and http://msdn.microsoft.com/en-us/library/ms881801.aspx

regedit the parameter, it's set to keepalive after 2 hours ....

Keepalive seems enabled but still get logs :

Apr  2 13:27:00 ipmon[84]: 13:27:00.372426 sis0 @0:11 b xxx.xxx.1.116,1107 -> xxx.xxx.17.61,23 PR tcp len 20 43 -AP IN       
Apr  2 13:27:00 ipmon[84]: 13:27:00.761000 sis0 @0:11 b xxx.xxx.1.116,1107 -> xxx.xxx.17.61,23 PR tcp len 20 43 -AP IN       
Apr  2 13:27:01 ipmon[84]: 13:27:01.567697 sis0 @0:11 b xxx.xxx.1.116,1107 -> xxx.xxx.17.61,23 PR tcp len 20 43 -AP IN       
Apr  2 13:27:03 ipmon[84]: 13:27:03.191696 sis0 @0:11 b xxx.xxx.1.116,1107 -> xxx.xxx.17.61,23 PR tcp len 20 43 -AP IN       
Apr  2 13:27:06 ipmon[84]: 13:27:06.317328 sis0 @0:11 b xxx.xxx.1.116,1107 -> xxx.xxx.17.61,23 PR tcp len 20 43 -AP IN       
Apr  2 13:27:13 ipmon[84]: 13:27:12.781528 sis0 @0:11 b xxx.xxx.1.116,1107 -> xxx.xxx.17.61,23 PR tcp len 20 43 -AP IN       
Apr  2 13:27:26 ipmon[84]: 13:27:25.929823 sis0 @100:21 p xxx.xxx.1.116,1108 -> xxx.xxx.17.61,23 PR tcp len 20 48 -S K-S IN 

Looks like the "active" connection is blocked by the firewall until the source port changes, and a new session is established.
Would it be possible to change the hidden TCP flag rule or disable statefull inspection completely ?
Or decreasing the "TCP idle timeout" setting to a few seconds would help ?
What do you think ?

Thanks

Hi,

Any idea anyone ?
Thanks

Problem is still present and is causing a lot of trouble
Could anybody explain me how to disable the statefull/tcp flag inspection ?