Help
FortiCarrier
FortiCarrier is a High-Scale Carrier-Grade Network Service Applicance (CGN)
maydin
Staff
Staff

Created on ‎01-28-2025 07:12 AM Edited on ‎01-28-2025 08:13 AM

Article Id 373187

Technical Tip: How Half-Open and Half-Close Timeouts Work for GTP Tunnels

Description This article describes how half-open and half-close timeouts work for GTP tunnels on a FortiCarrier, helping manage tunnel lifecycles.
Scope FortiCarrier.
Solution How half-open and half-close States are created:
  • When FortiCarrier receives a Create Session Request (message type 32) and forwards it, a tunnel is created in the half-open state.
  • Similarly, when FortiCarrier receives a Delete Session Request (message type 36) and forwards it, the tunnel transitions to the half-close state.

The duration for which these tunnels remain in the table (in either state) is controlled by the half-open-timeout and half-close-timeout parameters, which can be configured in the GTP profile.

 

Configuring half-open and half-close timeouts:

 

Below is an example configuration of a GTP profile where the timeouts are set:

 

config firewall gtp
    edit "Test"
        ...
        set half-open-timeout 8
        set half-close-timeout 10
        ...
    next

end

 

  • half-open timeout: Specifies how long a tunnel in the half-open state will persist (in seconds) if no response is received.
  • half-close timeout: Specifies how long a tunnel in the half-close state will persist (in seconds).

Example workflow:

 

When a GTP Create Session Request hits the above GTP profile, a tunnel is created, and its life is initialized with the half-open-timeout value, 8 seconds. For instance, if the timeout is set to 8 seconds, the tunnel will be deleted if no reply is received within this period.

 

Below is an example log entry showcasing a tunnel which has its life set to 8 seconds and has 1 request message type 32 under it: 

 

-----------prof=IoT_inbound ref=6 imsi=404277283330042 msisdn=919158002081 mei=86853904.098254.53 ms_addr=:: s11_s4 0-----------
-----------index=00000003 life=8(sec) idle=4(sec) vd=1 ver=2-----------
c_pkt=1 c_bytes=309 u_pkt=0 u_bytes=0
downlink cfteid:
addr=50.50.50.1 teid=0x805c6098 role=control vd=1 intf_type=s5/s8 sgw gtp-c
1/1 requests shown:
src=50.50.50.1:32432 dst=60.60.60.1:2123 seq=4122776 msg_type=32 vd=1 ver=2
uplink cfteid:
addr=Unknown teid=0x00000000 role=control vd=0 intf_type=s1-u enodeb gtp-u
1/1 bearers:
id=5 linked_id=0 type=regular dead=0 apn=www.mncxxx.mccyyy.gprs selection=ms-or-net-provided-apn apn_restriction=all user_addr=:: u_pkt=0 u_bytes=0
1 fteids:
addr=50.50.50.1 teid=0x81c0a00a role=data vd=1 intf_type=s5/s8 sgw gtp-u

 

Important notes:

  • If there are retries of Create Session Request or Delete Session Request in the network, these retries will not reset the timer. Only the initial request sets the timeout for the tunnel.
  • All other GTP-C message types have a default timeout of 5 minutes.
112
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.