Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cckwokho
New Contributor

Setting tcp-halfclose-timer

Hi all, I have a problem on setting tcp-halfclose-timer and would like to seek for advice. I suppose the tcp-halfclose-timer should affect half-close applications like rsh or sqlnet and should have no effect on, say https. But I find that even though a https connection has been terminated completely with fin and fin/ack, the Fortigate still keeps its session entries with the expiry time = tcp-halfclose-timer value and did not age out faster. So if I set the tcp-halfclose-timer to a high value (say 6 hours), then the session table will grow very large, which is undesirable. But I must set it as there' re half-close applications in my company. So does anyone know if there is a solution? Or it' s a known issue? BTW, the FortiOS that I use is 3.0MR3 patch 9. I didn' t find the same problem when I was using version 2.8 MR11. Thanks a lot. KH Cheung
5 REPLIES 5
abelio
Valued Contributor

Hello KH, tcp-halfclose-timer global system parameter has the same meaning in 2.80 and 3.0; you cannot set it in a per protocol basis, just globally to all TCP conections. (default 120 seg) I' m not sure completely if things works as you posted: " ..still keeps its session entries with the expiry time = tcp-halfclose-timer value.." Anyway, keep in mind that you can control table' s sessions timeouts in a protocol basis with CLI, i.e. you need 8 hours SSH sessions, but the others keep default (1hour):
 config system session-ttl
     set default 3600
         config port
             edit 22
                 set timeout 28800
             next
         end
 end
 

regards


__ Abel

cckwokho
New Contributor

Hello Abel, Thanks for your reply. I set the tcp-halfclose-timer to 300 and session-ttl to 3600. And then I make a few http connections. After that, I check the session entries via the web GUI and find that the expiry time of the http connections are set to 300 seconds. I suppose that once the http connections are finished after the client and server send the FIN packets, Fortigate should set the expiry time to a value other than 300 seconds. Since my company still uses old applications with half-close features, I need to set the timer to a large value. But if I do that, then normal applications will stay in the session table for a very long time as well. KH Cheung
abelio
Valued Contributor

Interesting issue, but I cannot reproduce here with MR3, MR4 3.0 boxes [:( ] ; in my webGUI all TCP sessions have expiration time controlled by ' default' system session-ttl value and only the tcp protocols specially configured (as ssh port 22 example of above) has special different values for timeout Docs says this about ' tcp-halfclose-timer' : " Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded" The key part here seems to be ' sent a FIN packet but the other has not responded' I' ll try other tests with 2.80 to try to catch any difference regards.

regards


__ Abel

keithli_FTNT
Staff
Staff

Thanks guys for providing details about this behaviour. I am a support engineer working at Fortinet. Just got word from QA that this has been reported as a bug and will be fixed for the next MR. So you can expect this to be fixed in MR6. Regards, Keith
Director, Product Management
cckwokho
New Contributor

Hello Keith, Thanks for your information. Do you know if the bug will be fixed in the new patch release of MR3 / MR4? KH Cheung