No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Some applications are interrupted frequently when USG2230 is the branch gateway case

Publication Date:  2014-10-31 Views:  125 Downloads:  0
Issue Description
When customer uses IBM AS400 client on PC in branch office to access the IBM AS400 server in main office. If there is no activity for more than 10 minutes on the client side, the application session will be cut off by USG2230. 
Handling Process
The customer tells us that they use the continuous ping from the client PC (10.140.1.x/24) to IBM AS400 Server (10.10.32.1/24). the ping packets never get lost. So the IP connectivity is always good.The information indicates the route of from client to server is correct.

Further more, according to the problem description(If there is no activity for more than 10 minutes on the client side, the application session will be cut off by USG2230),  the problem seems like caused by sessions timeout. So need to configure the long-link function for application of the IBM AS400. There are two ways to configure long-link function:

(1) To configure the long-link function for all applications which are installed on the IBM AS400 server, in that case, just need to configure long-link for the server IP address.
(2) The other way is to find the TCP port which the application used.and then configure long-link function for this application.

For the current issue , we can configure the long-link function for all the application(based on TCP protocol) on the IBM AS400 server.
The long-link function configuration steps as following:

1). Define the ACL :

    [USG2230]acl 3001                                                            
    16:34:18  2014/10/13                                                           
    [USG2230-acl-adv-3001] rule permit ip destination 10.10.32.1 0
    16:34:54  2014/10/13                                                           
    [USG2230-acl-adv-3001]dis th                                                 
    16:35:16  2014/10/13                                                           
    #                                                                              
    acl number 3001                                                                
    rule 15 permit ip destination 10.10.32.1 0
    #                                                                              
    return                                                                         
           

2). Configure the long-link between the zone:
                                                                  
    [USG2230]firewall interzone trust untrust                                    
    16:37:20  2014/10/13                                                           
    [USG5500-1-interzone-trust-untrust]long-link 3001 inbound                      
    16:37:53  2014/10/13                                                           
     WARNING: Too large range of ACL maybe affect the performance of firewall, please
    use this command carefully!                                                   
    Are you sure?[Y/N]                                                           
    [USG2230-interzone-trust-untrust]long-link 3001 outbound                     
    16:38:00  2014/10/13                                                                                                                            
    WARNING: Too large range of ACL maybe affect the performance of firewall, please
    use this command carefully!                                                   
    Are you sure?[Y/N]y                                                            

    [USG2230-interzone-trust-untrust]dis th                                      
    16:44:13  2014/10/13                                                           
    #                                                                              
    interzone trust untrust                                                        
    long-link 3001 outbound                                                       
    long-link 3001 inbound     
                                                   
    #                                                                              
    #    

                                                                          
After implement the above commands, the customer uses IBM AS400 client on PC in branch office to access the IBM AS400 server in main office turn to stable. The problem is resolved.
Root Cause
The root cause is the application firewall session is timeout, need to configure the long-link function for it.
Solution
The solution is to configure the long-link function for the all the applications on the IBM AS400 server.

END