Technical Tip: FortiGate timer for TCP half-close sessions
| Description | This article describes the case of the FortiGate timer for TCP half-close sessions. |
| Scope | FortiOS. |
| Solution | The TCP protocol provides the ability for one side of a connection to terminate its output while still receiving data from the other end. This is called a half-close state and is triggered after one side is receiving the first FIN packet for a session. This should not be confused with a TCP time-wait state which is triggered after both sides sent a FIN or RST packet. Typical applications that use the half-close mechanism are SQL*Net, rsh, and lpr.
A FortiGate unit implements a specific timer before removing an entry in a half-close state in the firewall session table. The 'tcp-halfclose-timer' can be changed globally for all sessions through below commands:
config system global set tcp-halfclose-timer {integer} end
The value of 'tcp-halfclose-timer' can be set between 1 to 86400 seconds. The default value is 120 seconds.
To configure different half-close timers per protocol, refer to the article Technical Tip: How to extend the TCP Half-Close timer for specific TCP services.
Sessions in a half-close state will be listed in the 'FIN_WAIT state' with the following CLI command:
diagnose sys session stat ... TCP sessions: 95 in NONE state 3908 in ESTABLISHED state 12 in SYN_SENT state 2 in SYN_RECV state 20 in FIN_WAIT state <----- 169 in TIME_WAIT state 245 in CLOSE state 102 in CLOSE_WAIT state Note: Before changing the value, it should be considered that too low values of the half-close timer may prematurely drop valid sessions, causing application interruptions. Also, too high values can lead to unnecessary session table usage, CPU usage, and potential resource exhaustion. |