https://live.paloaltonetworks.com/t5/general-topics/tcp-session-timeout-behaviour/m-p/411189#M92704 <P>Hello</P><P>The firewall will treat a TCP session where no packet was sent for 1h as dead (and not sending a packet to client or server). If one of the participants (client, server) send a packet, it will not be allowed (no established session).</P><P>With application override you could increase the timeout. If the issue still persist, changes are high it is not related to the firewall.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JoergSchuetter_0-1622815698777.png" style="width: 858px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/34250i9EF03F1D980BF47E/image-dimensions/858x280/is-moderation-mode/true?v=v2" width="858" height="280" role="button" title="JoergSchuetter_0-1622815698777.png" alt="JoergSchuetter_0-1622815698777.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JoergSchuetter_1-1622815709895.png" style="width: 862px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/34251i998B1E539FA03AD5/image-dimensions/862x406/is-moderation-mode/true?v=v2" width="862" height="406" role="button" title="JoergSchuetter_1-1622815709895.png" alt="JoergSchuetter_1-1622815709895.png" /></span></P><P>&nbsp;</P> Fri, 04 Jun 2021 14:10:13 GMT JoergSchuetter 2021-06-04T14:10:13Z https://live.paloaltonetworks.com/t5/general-topics/tcp-session-timeout-behaviour/m-p/411173#M92703 <P>Hello,</P><P>&nbsp;</P><P>I have a question about the mechanism of TCP session timeout on PA FW. Assuming that default TCP timeout on PA device is 3600 seconds. What happen after a TCP session is idle after 3600 seconds ? Does the FW send TCP RST at each endpoints ? Or does it just delete the session from its sessions table ? And in this case if a new packet is sent from either endpoint, is it dropped by the FW ?</P><P>&nbsp;</P><P>To specify the context, we are currently trying to troubleshoot some kind of disconnection issues related to one particular custom-built application. This is a common 2-tier application (Client / Server) that relies on TCP session on a dedicated listening port. Users complain that after some delay of inactivity (let's say after 2 hours or even more) the application crashes (there is a common message "connection failure..."). In my mind, since the FW TCP timeout is set to 3600 seconds, if the application session is open for more than 1 hour without any activity it will close the connection.</P><P>&nbsp;</P><P>Also I performed a Packet Capture on the FW and what I notice is that a TCP (FIN,ACK) is sent by the client to the server over 8000 seconds after the last packet in this particular session... And I see it at the receive stage as well as at the transmit stage. So am I a little bit confused.</P> Fri, 04 Jun 2021 13:57:49 GMT https://live.paloaltonetworks.com/t5/general-topics/tcp-session-timeout-behaviour/m-p/411173#M92703 Laurent_Dormond 2021-06-04T13:57:49Z https://live.paloaltonetworks.com/t5/general-topics/tcp-session-timeout-behaviour/m-p/411189#M92704 <P>Hello</P><P>The firewall will treat a TCP session where no packet was sent for 1h as dead (and not sending a packet to client or server). If one of the participants (client, server) send a packet, it will not be allowed (no established session).</P><P>With application override you could increase the timeout. If the issue still persist, changes are high it is not related to the firewall.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JoergSchuetter_0-1622815698777.png" style="width: 858px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/34250i9EF03F1D980BF47E/image-dimensions/858x280/is-moderation-mode/true?v=v2" width="858" height="280" role="button" title="JoergSchuetter_0-1622815698777.png" alt="JoergSchuetter_0-1622815698777.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JoergSchuetter_1-1622815709895.png" style="width: 862px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/34251i998B1E539FA03AD5/image-dimensions/862x406/is-moderation-mode/true?v=v2" width="862" height="406" role="button" title="JoergSchuetter_1-1622815709895.png" alt="JoergSchuetter_1-1622815709895.png" /></span></P><P>&nbsp;</P> Fri, 04 Jun 2021 14:10:13 GMT https://live.paloaltonetworks.com/t5/general-topics/tcp-session-timeout-behaviour/m-p/411189#M92704 JoergSchuetter 2021-06-04T14:10:13Z https://live.paloaltonetworks.com/t5/general-topics/tcp-session-timeout-behaviour/m-p/411229#M92708 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/46085">@Laurent_Dormond</a>&nbsp;</P> <P>If you have already installed pan-os 9.1.x you can simply create a service object to increase the tcp timeout for that connection. (Doing this with an application override policy is no longer required)</P> Fri, 04 Jun 2021 15:30:24 GMT https://live.paloaltonetworks.com/t5/general-topics/tcp-session-timeout-behaviour/m-p/411229#M92708 Remo 2021-06-04T15:30:24Z https://live.paloaltonetworks.com/t5/general-topics/tcp-session-timeout-behaviour/m-p/510171#M106171 <P>Good morning,</P> <P>The documentation says that the firewall will close a connection, which I take to mean it will send a TCP RST.&nbsp; The reply above says it will start dropping packets.&nbsp; &nbsp;Am I reading too much into the documentation?&nbsp; &nbsp;</P> <P>Thanks.</P> <P>&nbsp;</P> Thu, 28 Jul 2022 11:25:08 GMT https://live.paloaltonetworks.com/t5/general-topics/tcp-session-timeout-behaviour/m-p/510171#M106171 x2mlhine 2022-07-28T11:25:08Z