Description
This article describes that, occasionally, it is possible to encounter an application that requires the use of the TCP half-close state.
This means that one end will communicate the following:
Sending data is done, so it is necessary to send a FIN packet (FIN flag is enabled) to the other end.
And yet, it is necessary to receive data from the other end until the peer sends me a FIN packet.
Refer to '13.2.1 TCP Half-Close' of the book 'TCP/IP Illustrated, Volume 1, Second Edition Kevin R. Fall'.
The example below illustrates the case in which it is the client who initiates the half-close state, but the server could also initiate half-close.
Client Server(port1701)
{ ....... }
Client Initiates Close{[FIN,ACK]------------------> }
{<------------------------[ACK]}
Connection Is Half-Closed{<------------------[more data]}
{[Data ACK]------------------->}
{ ....... }
Connection's {<--------------------[FIN,ACK]}
"Other Half" Closes{[ACK]------------------------>}
In FortiOS, the tcp-halfclose-timer is 120 seconds* by default.
* Factory default values may differ between firmware versions. Default values are listed in the CLI reference on Fortinet Documentation.
That means the connection from server to client will be closed 2 minutes after the initial FIN packet is sent by the client.
After 2 minutes, the FortiGate will drop traffic from the server to the client, and a debug flow output will show the message 'no session matched', reflecting the fact that the session no longer exists in the session table.
2015-01-07 13:57:42 id=20085 trace_id=1203308 func=vf_ip4_route_input line=1596 msg='find a route: flags=00000000 gw-192.168.245.33 via lan'
2015-01-07 13:57:42 id=20085 trace_id=1203308 func=fw_forward_dirty_handler line=310 msg='no session matched'
Solution
To extend the tcp-halfclose-timer for all TCP sessions globally, this can be achieved by modifying the system global settings.
config system global
set tcp-halfclose-timer xxx
end
Possible values can be seen with the '?' parameter:
config system global
set tcp-halfclose-timer ?
tcp-halfclose-timer Enter an integer value from <1> to <86400> (default = <120>).
To support a specific application that requires TCP half-close operation capability, the administrator can extend the TCP-half-close-timer.
This can be used to apply a different half-close timer to all sessions (global timer) or a specific custom service.
The following steps show how to extend the TCP half-close timer for port 7701:
- Create a custom firewall service for TCP port 7701.
Set the required tcp-halfclose-timer for the new custom service.
config firewall service custom
edit "TCP-7701"
set tcp-portrange 7701
set tcp-halfclose-timer 3600
next
end
-
Since EITHER END CAN initiate the TCP half-close, apply service 'TCP-7701' to traffic initiated in either direction.
config firewall policy
edit 55
set srcintf "lan"
set dstintf "port1"
set srcaddr "lan_clients"
set dstaddr "special_server"
set action accept
set schedule "always"
set service "TCP-7701"
set logtraffic all
next
end
config firewall policy
edit 54
set srcintf "port1"
set dstintf "lan"
set srcaddr "special_server"
set dstaddr "lan_clients"
set action accept
set schedule "always"
set service "TCP-7701"
set logtraffic all
next
end
