Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Exchange - need to increase "firewall time-out" to 15 mins or more

    General pfSense Questions
    4
    6
    3883
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      robatwork last edited by

      Hi all,
      Getting an error on our exchange server behind pfsense 2.3.3:

      The average of the most recent heartbeat intervals [540] for request [Ping] used by clients is less than or equal to [540].
      Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed.

      A bit of research has shown this isn't so much an exchange thing as a tweak that MS want to the firewall - their HeartBeatAlertThreshold  is set to 540 seconds so they suggest increasing the firewall http(s) timeout to 15 mins or more.

      Is this something I can do a) just for this particular port forward/firewall rules to the server or b) in general for the firewall?

      many thanks

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Did you mess with firewall optimization settings?

        You can check your timers.. An established connection would be 24 hours unless closed.. Are you saying that I could send a request and it might not get answered for 540 seconds.  So I send syn and have to wait for up to 540 seconds for the syn,ack – or you talking after the tcp handshake has occurred?

        
        [2.4.0-BETA][root@pfsense.local.lan]/var/dhcpd/etc: pfctl -st
        tcp.first                   120s
        tcp.opening                  30s
        tcp.established           86400s
        tcp.closing                 900s
        tcp.finwait                  45s
        tcp.closed                   90s
        tcp.tsdiff                   30s
        udp.first                    60s
        udp.single                   30s
        udp.multiple                 60s
        icmp.first                   20s
        icmp.error                   10s
        other.first                  60s
        other.single                 30s
        other.multiple               60s
        frag                         30s
        interval                     10s
        adaptive.start            58200 states
        adaptive.end             116400 states
        src.track                     0s
        
        
        1 Reply Last reply Reply Quote 0
        • R
          robatwork last edited by

          Hello John, thanks for the reply. I haven't played with my settings. Here are mine which seem to differ only at the end which I imagine aren't that relevant to this:

          tcp.first                   120s
          tcp.opening                  30s
          tcp.established           86400s
          tcp.closing                 900s
          tcp.finwait                  45s
          tcp.closed                   90s
          tcp.tsdiff                   30s
          udp.first                    60s
          udp.single                   30s
          udp.multiple                 60s
          icmp.first                   20s
          icmp.error                   10s
          other.first                  60s
          other.single                 30s
          other.multiple               60s
          frag                         30s
          interval                     10s
          adaptive.start           854400 states
          adaptive.end            1708800 states
          src.track                  2000s
          

          I am not entirely clear with the microsoft documentation so will try to get my head around it a bit better as to if it's tcp handshake or the ack it's waiting for
          many thanks

          1 Reply Last reply Reply Quote 0
          • M
            marvosa last edited by

            You can change the Firewall Optimization Options to "Conservative":
            System -> Advanced -> Firewall & NAT

            There are several tuning options here also -> https://blogs.technet.microsoft.com/david231/2015/03/30/for-exchange-2010-and-2013-do-this-before-calling-microsoft/

            1 Reply Last reply Reply Quote 0
            • R
              robatwork last edited by

              Thanks Marvosa that thread looks very helpful - will take a look through it

              1 Reply Last reply Reply Quote 0
              • H
                Harvy66 last edited by

                pfSense itself does not have an HTTP(S) timeout, only a TCP timeout, which defaults to 24 hours. If you're running a proxy, your proxy may need to have the HTTP(S) timeout configured.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense Plus
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy