Exchange - need to increase "firewall time-out" to 15 mins or more

robatwork

Hi all,
Getting an error on our exchange server behind pfsense 2.3.3:

The average of the most recent heartbeat intervals [540] for request [Ping] used by clients is less than or equal to [540].
Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed.

A bit of research has shown this isn't so much an exchange thing as a tweak that MS want to the firewall - their HeartBeatAlertThreshold  is set to 540 seconds so they suggest increasing the firewall http(s) timeout to 15 mins or more.

Is this something I can do a) just for this particular port forward/firewall rules to the server or b) in general for the firewall?

many thanks

johnpoz

Did you mess with firewall optimization settings?

You can check your timers.. An established connection would be 24 hours unless closed.. Are you saying that I could send a request and it might not get answered for 540 seconds.  So I send syn and have to wait for up to 540 seconds for the syn,ack – or you talking after the tcp handshake has occurred?

[2.4.0-BETA][root@pfsense.local.lan]/var/dhcpd/etc: pfctl -st
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start            58200 states
adaptive.end             116400 states
src.track                     0s

robatwork

Hello John, thanks for the reply. I haven't played with my settings. Here are mine which seem to differ only at the end which I imagine aren't that relevant to this:

tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start           854400 states
adaptive.end            1708800 states
src.track                  2000s

I am not entirely clear with the microsoft documentation so will try to get my head around it a bit better as to if it's tcp handshake or the ack it's waiting for
many thanks

marvosa

You can change the Firewall Optimization Options to "Conservative":
System -> Advanced -> Firewall & NAT

There are several tuning options here also -> https://blogs.technet.microsoft.com/david231/2015/03/30/for-exchange-2010-and-2013-do-this-before-calling-microsoft/

robatwork

Thanks Marvosa that thread looks very helpful - will take a look through it

Harvy66

pfSense itself does not have an HTTP(S) timeout, only a TCP timeout, which defaults to 24 hours. If you're running a proxy, your proxy may need to have the HTTP(S) timeout configured.