Setting tcp-halfclose-timer

Forum|Forum|18 years ago
September 24, 2007
4 replies
12791 views

Hi all, I have a problem on setting tcp-halfclose-timer and would like to seek for advice. I suppose the tcp-halfclose-timer should affect half-close applications like rsh or sqlnet and should have no effect on, say https. But I find that even though a https connection has been terminated completely with fin and fin/ack, the Fortigate still keeps its session entries with the expiry time = tcp-halfclose-timer value and did not age out faster. So if I set the tcp-halfclose-timer to a high value (say 6 hours), then the session table will grow very large, which is undesirable. But I must set it as there' re half-close applications in my company. So does anyone know if there is a solution? Or it' s a known issue? BTW, the FortiOS that I use is 3.0MR3 patch 9. I didn' t find the same problem when I was using version 2.8 MR11. Thanks a lot. KH Cheung

abelio

SuperUser

Hello KH, tcp-halfclose-timer global system parameter has the same meaning in 2.80 and 3.0; you cannot set it in a per protocol basis, just globally to all TCP conections. (default 120 seg) I' m not sure completely if things works as you posted: " ..still keeps its session entries with the expiry time = tcp-halfclose-timer value.." Anyway, keep in mind that you can control table' s sessions timeouts in a protocol basis with CLI, i.e. you need 8 hours SSH sessions, but the others keep default (1hour):

  config system session-ttl      set default 3600          config port              edit 22                  set timeout 28800              next          end  end

cckwokhoAuthor

New Member

Hello Abel, Thanks for your reply. I set the tcp-halfclose-timer to 300 and session-ttl to 3600. And then I make a few http connections. After that, I check the session entries via the web GUI and find that the expiry time of the http connections are set to 300 seconds. I suppose that once the http connections are finished after the client and server send the FIN packets, Fortigate should set the expiry time to a value other than 300 seconds. Since my company still uses old applications with half-close features, I need to set the timer to a large value. But if I do that, then normal applications will stay in the session table for a very long time as well. KH Cheung

abelio

SuperUser

Interesting issue, but I cannot reproduce here with MR3, MR4 3.0 boxes [:( ] ; in my webGUI all TCP sessions have expiration time controlled by ' default' system session-ttl value and only the tcp protocols specially configured (as ssh port 22 example of above) has special different values for timeout Docs says this about ' tcp-halfclose-timer' : " Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded" The key part here seems to be ' sent a FIN packet but the other has not responded' I' ll try other tests with 2.80 to try to catch any difference regards.

keithli_FTNT

Staff

Thanks guys for providing details about this behaviour. I am a support engineer working at Fortinet. Just got word from QA that this has been reported as a bug and will be fixed for the next MR. So you can expect this to be fixed in MR6. Regards, Keith

cckwokhoAuthor

New Member

Hello Keith, Thanks for your information. Do you know if the bug will be fixed in the new patch release of MR3 / MR4? KH Cheung

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded