Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Setting tcp-halfclose-timer
Hi all,
I have a problem on setting tcp-halfclose-timer and would like to seek for advice.
I suppose the tcp-halfclose-timer should affect half-close applications like rsh or sqlnet and should have no effect on, say https. But I find that even though a https connection has been terminated completely with fin and fin/ack, the Fortigate still
keeps its session entries with the expiry time = tcp-halfclose-timer value and did not age out faster.
So if I set the tcp-halfclose-timer to a high value (say 6 hours), then the session table will grow very large, which is undesirable. But I must set it as there' re half-close applications in my company.
So does anyone know if there is a solution? Or it' s a known issue? BTW, the FortiOS that I use is 3.0MR3 patch 9. I didn' t find the same problem when I was using version 2.8 MR11.
Thanks a lot.
KH Cheung
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello KH,
tcp-halfclose-timer global system parameter has the same meaning in 2.80 and 3.0;
you cannot set it in a per protocol basis, just globally to all TCP conections. (default 120 seg)
I' m not sure completely if things works as you posted:
" ..still keeps its session entries with the expiry time = tcp-halfclose-timer value.."
Anyway, keep in mind that you can control table' s sessions timeouts in a protocol basis with CLI, i.e. you need 8 hours SSH sessions, but the others keep default (1hour):
config system session-ttl set default 3600 config port edit 22 set timeout 28800 next end end
regards
/ Abel
regards
/ Abel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Abel,
Thanks for your reply.
I set the tcp-halfclose-timer to 300 and session-ttl to 3600. And then I make a few http connections.
After that, I check the session entries via the web GUI and find that the expiry
time of the http connections are set to 300 seconds.
I suppose that once the http connections are finished after the client and server send the FIN packets, Fortigate should set the expiry time to a value other than 300 seconds.
Since my company still uses old applications with half-close features, I need to set the timer to a large value. But if I do that, then normal applications will stay
in the session table for a very long time as well.
KH Cheung
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting issue, but I cannot reproduce here with MR3, MR4 3.0 boxes [:( ] ;
in my webGUI all TCP sessions have expiration time controlled by ' default' system session-ttl value and only the tcp protocols specially configured (as ssh port 22 example
of above) has special different values for timeout
Docs says this about ' tcp-halfclose-timer' :
" Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded"
The key part here seems to be ' sent a FIN packet but the other has not responded'
I' ll try other tests with 2.80 to try to catch any difference
regards.
regards
/ Abel
regards
/ Abel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks guys for providing details about this behaviour. I am a support engineer working at Fortinet. Just got word from QA that this has been reported as a bug and will be fixed for the next MR. So you can expect this to be fixed in MR6.
Regards,
Keith
Director, Product Management
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Keith,
Thanks for your information.
Do you know if the bug will be fixed in the new patch release of MR3 / MR4?
KH Cheung