What does it mean when a session 'locks up?' Do the sessions continue with PSH/ACKs and the firewall sends FINs or RSTs? If you restart a session (a new SYN, SYN/ACK, ACK) does that new session get processed successfully (i.e. are 'current sessions' being denied or blocked or not processed but NEW sessions are allowed through)? What does the audit say? What do tcpdumps say?
Do you have any Host or Domain objects in your policy which could cause acld to stop processing traffic?
Do you have any Deny rules configured to block 'Filters' or 'Categories' of applications? A rule which is set to Deny and has for its applications <File Sharing>(Filter) and <Gaming>(Filter) for instance.
Thanks, for the reply, Sam. Sessions that lock up either just sit there with a spinning mouse pointer until the TCP timeout (10 minutes for us for this rule) and fail with an empty IE window, or they eventually do come back and work several minutes later.
We have no Host or Domain objects. We also have no deny rules to block Filters or Categories of applications.
I haven't done packet captures yet since this started back up. However, we did quite a few packet captures before. The firewall that was handling the traffic would send an [ACK] packet in response to the client's HTTP GET request. However, that GET was never passed through the firewall to the web server load balancer on the other side of the firewall. So the client sits and waits because the firewall sent the [ACK], but the GET never made it to the server, so nothing came back to the PC. I'm guessing that I will see the same behavior now when I do packet captures.