NetWare 6.5 SP4
BM 3.8 SP3

Stateful filters fails.
During peak hours, connections over stateful filters drops,
and clients lose connections.

Ever since NetWare 6.0 SP3 stateful filtering has been an issue,
on both NW 6.0/6.5 and BM 3.7/3.8.
We have tried lots of TCP/IP versions, but the problem remains unsolved.
With a lower load on the firewall, the stateful filters works well,
but not under higher load during peak hours.

Connections like Citrix, SSH, streaming etc. drops,
and do not reconnect. After such a drop, we can see this
"normal" traffic in the BM's deny logs, where the hosts
reply to the clients are denied.

We therefore have to open dedicated inbound reply-filters,
to allow the inbound data flow, which was ment to return
over a stateful port.

But this is a rather abundant affair in a complex environment,
and it can be a security issue as well...

The best solution so far, is to use an older IPFLT31.NLM,
that is from BM 3.7 - IPFLT31.NLM v4.60.03 (10 dec 2002).
Using this verion things improve, but under heavy load
connections still drops.

We have had this problem on several firewalls,
running different verions of NW, BM and LAN nic-drivers.
At the moment we have HP DL 380 G3 firewalls running:
N1000.LAN v7.63 (12 nov 2004)
TCP.NLM v6.71.06 Domestic (20 july 2005)
TCPIP.NLM v6.71.05 Domestic (22 june 2005)
IPFLT.NLM v4.60.03 (10 dec 2002)
IPFLT31.NLM v5.31.11 (19 oct 2004)

I know this has been a known issue earlier, and that the
problem also have been submitted to engineering.
This not only as a serious annoyance, but a security
risk as well, having to "open" every sort of static
reply filters...

Ideas anyone?