Exchange - need to increase "firewall time-out" to 15 mins or more



  • Hi all,
    Getting an error on our exchange server behind pfsense 2.3.3:

    The average of the most recent heartbeat intervals [540] for request [Ping] used by clients is less than or equal to [540].
    Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed.

    A bit of research has shown this isn't so much an exchange thing as a tweak that MS want to the firewall - their HeartBeatAlertThreshold  is set to 540 seconds so they suggest increasing the firewall http(s) timeout to 15 mins or more.

    Is this something I can do a) just for this particular port forward/firewall rules to the server or b) in general for the firewall?

    many thanks


  • Rebel Alliance Global Moderator

    Did you mess with firewall optimization settings?

    You can check your timers.. An established connection would be 24 hours unless closed.. Are you saying that I could send a request and it might not get answered for 540 seconds.  So I send syn and have to wait for up to 540 seconds for the syn,ack – or you talking after the tcp handshake has occurred?

    
    [2.4.0-BETA][root@pfsense.local.lan]/var/dhcpd/etc: pfctl -st
    tcp.first                   120s
    tcp.opening                  30s
    tcp.established           86400s
    tcp.closing                 900s
    tcp.finwait                  45s
    tcp.closed                   90s
    tcp.tsdiff                   30s
    udp.first                    60s
    udp.single                   30s
    udp.multiple                 60s
    icmp.first                   20s
    icmp.error                   10s
    other.first                  60s
    other.single                 30s
    other.multiple               60s
    frag                         30s
    interval                     10s
    adaptive.start            58200 states
    adaptive.end             116400 states
    src.track                     0s
    
    


  • Hello John, thanks for the reply. I haven't played with my settings. Here are mine which seem to differ only at the end which I imagine aren't that relevant to this:

    tcp.first                   120s
    tcp.opening                  30s
    tcp.established           86400s
    tcp.closing                 900s
    tcp.finwait                  45s
    tcp.closed                   90s
    tcp.tsdiff                   30s
    udp.first                    60s
    udp.single                   30s
    udp.multiple                 60s
    icmp.first                   20s
    icmp.error                   10s
    other.first                  60s
    other.single                 30s
    other.multiple               60s
    frag                         30s
    interval                     10s
    adaptive.start           854400 states
    adaptive.end            1708800 states
    src.track                  2000s
    

    I am not entirely clear with the microsoft documentation so will try to get my head around it a bit better as to if it's tcp handshake or the ack it's waiting for
    many thanks



  • You can change the Firewall Optimization Options to "Conservative":
    System -> Advanced -> Firewall & NAT

    There are several tuning options here also -> https://blogs.technet.microsoft.com/david231/2015/03/30/for-exchange-2010-and-2013-do-this-before-calling-microsoft/



  • Thanks Marvosa that thread looks very helpful - will take a look through it



  • pfSense itself does not have an HTTP(S) timeout, only a TCP timeout, which defaults to 24 hours. If you're running a proxy, your proxy may need to have the HTTP(S) timeout configured.