Skip to main content
A
Anonymous_User
Contributor
March 23, 2004
Question

Session Timeout Value Change

  • March 23, 2004
  • 7 replies
  • 8854 views
Have any of you had trouble with applications running through your FG either via plain-text Internet or VPN? My company has had several problems with the default session ttl of 300 seconds. Most of the problems deal with sessions to applications being run over VPN, but there is a circumstance that deals with FTP as well, i.e. someone tries to download a large (several hundred MB) file that takes longer than 300 seconds to download and gets disconnected. The VPN problems relate to Terminal Service sessions being disconnected after 300 seconds, Outlook MAPI connections that are being disconnected when running over VPN, etc... I' ve decided to change the default 300 seconds to 14400 seconds with the command:
set system session_ttl default 14400
I realize that this will result in more sessions being left open for longer than required in some circumstances, which will result in a loss of performance. However, we have an FG-300 which is capable of supporting 200,000 sessions. During an extremely heavy day, our company has at most 500 sessions going. That' s .25% of the boxes maximum capability. I think I have room to increase the session timeout a bit. ;-) Does anyone else have an opinion on this move? Has anyone else made a similar move with their FG?

    7 replies

    A
    Anonymous_UserAuthor
    Contributor
    April 5, 2004
    yes, simlar here. Running a database app through IPSEC VPN to MS SQL Server. Had to up the default timeout from 300 to 30000
    A
    Anonymous_UserAuthor
    Contributor
    April 5, 2004
    I spoke to Tech Support about my question above. They recommended that I do not set the default that high. So, I have since put mine back to the default of 300 seconds. However, I have been increasing the ports that we use. For example, SQL Server uses port 1433. So, I have increased that to 14400. I have done the same with SSH port 22, Terminal Server port 3389, and Microsoft Outlook ports 1116 and 1160. It seems to be working out well that way. It just takes a bit more work.
    A
    Anonymous_UserAuthor
    Contributor
    April 5, 2004
    I have two fg-60. the Sql Server is at site A. Clients who connec to the DB are at site B. Do I only need to up the session ttl on the fg-60 at site A, or at site B as well?
    A
    Anonymous_UserAuthor
    Contributor
    April 5, 2004
    I would do both, since both FGs are going to track the session.
    A
    Anonymous_UserAuthor
    Contributor
    April 5, 2004
    what' s the CLI syntax to set an individual port' s session_ttl?
    A
    Anonymous_UserAuthor
    Contributor
    April 5, 2004
    To set the timeout to 4 hours for the terminal server port (3389) you can use the code below. 
    set system session_ttl port 3389 timeout 14400
    A
    Anonymous_UserAuthor
    Contributor
    April 15, 2004
    Just an FYI, but I' m having the exact same problem you are talking about. I have 15 FG' s installed and I' ve had to adjust the ttl on all of them. The biggest problems I ran into were Outlook connections to a remote Exchange server and Citrix connections. I adjusted the ttl on both to 1800 and didn' t have as much of a problem. Outlook still hangs, but not very often.
    A
    Anonymous_UserAuthor
    Contributor
    April 16, 2004
    Are you adjusting the default TTL, jce001? If not, what ports are you using for Outlook? I had a bear of a time figuring out what they were.
    Johan_Lysen
    Johan_Lysen
    New Member
    April 18, 2004
    I had the same kind of problems My solution was to set session timeout higher AND disable NIDS/NIPS, logging and antivirus - now all my problems are gone I suspect the NIDS/NIPS /Johan
    Terms & ConditionsAccessibility statement