Help
Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cckwokho
New Contributor

Created on ‎09-24-2007 05:20 AM

Setting tcp-halfclose-timer

Hi all, I have a problem on setting tcp-halfclose-timer and would like to seek for advice. I suppose the tcp-halfclose-timer should affect half-close applications like rsh or sqlnet and should have no effect on, say https. But I find that even though a https connection has been terminated completely with fin and fin/ack, the Fortigate still keeps its session entries with the expiry time = tcp-halfclose-timer value and did not age out faster. So if I set the tcp-halfclose-timer to a high value (say 6 hours), then the session table will grow very large, which is undesirable. But I must set it as there' re half-close applications in my company. So does anyone know if there is a solution? Or it' s a known issue? BTW, the FortiOS that I use is 3.0MR3 patch 9. I didn' t find the same problem when I was using version 2.8 MR11. Thanks a lot. KH Cheung
6878
0 Kudos
5 REPLIES 5
abelio
Valued Contributor

Created on ‎09-24-2007 07:01 AM

Hello KH, tcp-halfclose-timer global system parameter has the same meaning in 2.80 and 3.0; you cannot set it in a per protocol basis, just globally to all TCP conections. (default 120 seg) I' m not sure completely if things works as you posted: " ..still keeps its session entries with the expiry time = tcp-halfclose-timer value.." Anyway, keep in mind that you can control table' s sessions timeouts in a protocol basis with CLI, i.e. you need 8 hours SSH sessions, but the others keep default (1hour): 
 config system session-ttl
     set default 3600
         config port
             edit 22
                 set timeout 28800
             next
         end
 end

regards


__ Abel

684
0 Kudos
cckwokho
New Contributor

Created on ‎09-24-2007 07:12 AM

Hello Abel, Thanks for your reply. I set the tcp-halfclose-timer to 300 and session-ttl to 3600. And then I make a few http connections. After that, I check the session entries via the web GUI and find that the expiry time of the http connections are set to 300 seconds. I suppose that once the http connections are finished after the client and server send the FIN packets, Fortigate should set the expiry time to a value other than 300 seconds. Since my company still uses old applications with half-close features, I need to set the timer to a large value. But if I do that, then normal applications will stay in the session table for a very long time as well. KH Cheung
684
0 Kudos
abelio
Valued Contributor
In response to cckwokho

Created on ‎09-24-2007 08:20 AM

Interesting issue, but I cannot reproduce here with MR3, MR4 3.0 boxes [:( ] ; in my webGUI all TCP sessions have expiration time controlled by ' default' system session-ttl value and only the tcp protocols specially configured (as ssh port 22 example of above) has special different values for timeout Docs says this about ' tcp-halfclose-timer' : " Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded" The key part here seems to be ' sent a FIN packet but the other has not responded' I' ll try other tests with 2.80 to try to catch any difference regards.

regards


__ Abel

684
0 Kudos
keithli_FTNT
Staff
Staff

Created on ‎10-03-2007 05:38 PM

Thanks guys for providing details about this behaviour. I am a support engineer working at Fortinet. Just got word from QA that this has been reported as a bug and will be fixed for the next MR. So you can expect this to be fixed in MR6. Regards, Keith
Director, Product Management
684
0 Kudos
cckwokho
New Contributor

Created on ‎10-03-2007 06:40 PM

Hello Keith, Thanks for your information. Do you know if the bug will be fixed in the new patch release of MR3 / MR4? KH Cheung
684
0 Kudos
Top Kudoed Authors
View all

Contact Us