Technical Tip: How to extend the TCP Half-Close timer for specific TCP services

Description

This article describes that, occasionally, it is possible to encounter an application that requires the use of the TCP half-close state.

This means that one end will communicate the following:
Sending data is done, so it is necessary to send a FIN packet (FIN flag is enabled) to the other end.
And yet, it is necessary to receive data from the other end until the peer sends me a FIN packet.

Refer to '13.2.1 TCP Half-Close' of the book 'TCP/IP Illustrated, Volume 1, Second Edition Kevin R. Fall'.

The example below illustrates the case in which it is the client who initiates the half-close state, but the server could also initiate half-close.

                        Client                        Server(port1701)
                           {           .......            }
     Client Initiates Close{[FIN,ACK]------------------>  }
                           {<------------------------[ACK]}
  Connection Is Half-Closed{<------------------[more data]}
                           {[Data ACK]------------------->}
                           {           .......            }
           Connection's    {<--------------------[FIN,ACK]}
        "Other Half" Closes{[ACK]------------------------>}

In FortiOS, the tcp-halfclose-timer is 120 seconds* by default.
* Factory default values may differ between firmware versions. Default values are listed in the CLI reference on Fortinet Documentation.

That means the connection from client to server will be closed 2 minutes after the initial FIN packet is sent by the client. 
After 2 minutes, the FortiGate will drop traffic from the client to the server, and a debug flow output will show the message 'no session matched', reflecting the fact that the session no longer exists in the session table.

2015-01-07 13:57:42 id=20085 trace_id=1203308 func=vf_ip4_route_input line=1596 msg='find a route: flags=00000000 gw-192.168.245.33 via lan'

2015-01-07 13:57:42 id=20085 trace_id=1203308 func=fw_forward_dirty_handler line=310 msg='no session matched'

Solution

To extend the tcp-halfclose-timer for all TCP sessions globally, this can be achieved by modifying the system global settings.

config system global
    set tcp-halfclose-timer xxx
end

Possible values can be seen with the '?' parameter:

config system global
    set tcp-halfclose-timer ?
tcp-halfclose-timer Enter an integer value from <1> to <86400> (default = <120>).

To support a specific application that requires TCP half-close operation capability, the administrator can extend the TCP-half-close-timer.

This can be used to apply a different half-close timer to all sessions (global timer) or a specific custom service.

The following steps show how to extend the TCP half-close timer for port 7701:

1. Create a custom firewall service for TCP port 7701.
   
   

Set the required tcp-halfclose-timer for the new custom service.

config firewall service custom
    edit "TCP-7701"
        set tcp-portrange 7701
        set tcp-halfclose-timer 3600
    next
end

2. Since EITHER END CAN initiate the TCP half-close, apply service 'TCP-7701' to traffic initiated in either direction.

    

config firewall policy
   edit 55
       set srcintf "lan"
       set dstintf "port1"
       set srcaddr "lan_clients"
       set dstaddr "special_server"
       set action accept
       set schedule "always"
       set service "TCP-7701"
       set logtraffic all
   next
end

config firewall policy
    edit 54
       set srcintf "port1"
       set dstintf "lan"
       set srcaddr "special_server"
       set dstaddr "lan_clients"
       set action accept
       set schedule "always"
       set service "TCP-7701"
       set logtraffic all
    next
end