Our customer is using a 310B. They have thin client PCs with no hard drive, so the users frequently power them off while having TCP telnet sessions connected to a host. This leaves the host with half open connections, thinking that the thin clients are still connected. There is no option to add keep alives or anything as this is a top 3 auto mfg with thousands of existing systems, though none going through a firewall before this problem.
When the thin client running Windows 7 embedded reboots, it gets the same source port from TCP, then tries to connect to the host again. It sends its SYN packet with a new SEQ number, which the firewall lets through. The host then sees this packet as out of sequence, as it thinks the connection is still active as it has the same source and dest ports, and IP. Per TCP operational guidelines in RFC793, it just ACKs the SYN packet from the client using the SEQ number of the connection that it still thinks is active, not SYN,ACK. The 310B is not allowing this packet to pass to the thin client, maybe because the SEQ that this packet is using does not address the one in the SYN packet that the client just sent.
As a result, the client sees this as just a non-reply to its SYN, which it then retries 2 more times before failing. If the 310B would pass this packet through, the client would see that the SEQ doesn't match the ACK, and will sent a RST to the host, wait 3 seconds, then re-establish the connection successfully. This is the desired operation and correct according to TCP RFC and is how everything works when there is not firewall.
How can we get the 310B to pass this ACK packet back to the client so it can discover the half open connection at the host so it can reset the connection to fix it? Is this the behavior of the anti-replay=strict setting or something else?
Thanks. #4 in the sequence below is the packet that is being dropped by the firewall.
TCP A TCP B 1. (CRASH) (send 300,receive 100) 2. CLOSED ESTABLISHED 3. SYN-SENT --> <SEQ=400><CTL=SYN> --> (??) 4. (!!) <-- <SEQ=300><ACK=100><CTL=ACK> <-- ESTABLISHED 5. SYN-SENT --> <SEQ=100><CTL=RST> --> (Abort!!) 6. SYN-SENT CLOSED 7. SYN-SENT --> <SEQ=400><CTL=SYN> --> Half-Open Connection Discovery
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1741 | |
1109 | |
755 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.