Session Timeout Settings

Reply
L2 Linker

Session Timeout Settings

Hi,

we are using a PA environment in combination with Bluecoat Proxy SG for caching and user authentication. Bluecoat describes on his knowledgbase KB3323 the differences for session timeouts on proxie servers and firewalls.

From our proxies I have many retransmissions to the Internet and so I want to change my timout settings on the PA in a bluecoat conform value. Where I have to change the timeout seitting?

On session timeouts (and which value)

Session Timeouts.JPG

Or on application settings

application settings.JPG

greetings from germany

Robert

Re: Session Timeout Settings

Both will work.

You can override the default timeout for ALL Applications (1st window)

and/or for a specific Application (2nd window)

Regards

Marco

L5 Sessionator

Re: Session Timeout Settings

Keeping in mind the first window that you have displayed is a global change and will effect all the session. The change will override the default timeout for ALL Applications.

The second windows display is for a particular application. The change would apply to specific Application. So it would be important to know if you want to change it globally or just for a particular application.

Let us know if this helps.

Thank you

Numan

L2 Linker

Re: Session Timeout Settings

My question was a little bit imprecise. I know the differences between application and timeout settings. My intensions are more which value in timeout settings I have to change? Discard TCP or TCP or TCP wait? The PA help is very futile and says "Specify timeouts in seconds for each of the categories. Ranges and defaults are listed." Nice.

I changed alle TCP settings to 900s (except TCP itself) and in application I changed it to 900s too. But it doesn't work.

I have "non-syn-tcp" application still.

syn-error.JPG.jpg

In my session browser, the session timeout is shown as 30s still.

application flow.JPG.jpg

L6 Presenter

Re: Session Timeout Settings

L5 Sessionator

Re: Session Timeout Settings

Hi Robert,

If you are getting non-syn-tcp that tcp handshake is not happening properly and may you are seeing ack for a packet which had not syn.

You can enable "set session tcp-reject-non-syn no" command from the operational mode. This will allow non-syn traffic in you environment. However if you want this setting to be permanent you would need to run the "set deviceconfig setting session tcp-reject-non-syn" command from the configuration mode. Usually this is not recommended unless you have a specific problem in your environment e.g asymmetric routing.

As far as the session timeout goes there are few more timers which you can see under "show session info"

Session timeout

  TCP default timeout:                           3600 secs

  TCP session timeout before SYN-ACK received:      5 secs

  TCP session timeout before 3-way handshaking:    10 secs

  TCP session timeout after FIN/RST:               30 secs

  UDP default timeout:                             30 secs

  ICMP default timeout:                             6 secs

  other IP default timeout:                        30 secs

  Captive Portal session timeout:                  30 secs

  Session timeout in discard state:

    TCP: 90 secs, UDP: 60 secs, other IP protocols: 60 secs

Let us know if this helps.
Thanks

Numan

L0 Member

Re: Session Timeout Settings

Did this get resolved finally ? If yes what settings were modified I am facing similar issues and kinda urgent if someone can respond back pls.

Users----Bluecoat Child------Palo Alto (FW)-----Parent Bluecoat

Having intemittent disconnects.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!