we are using a PA environment in combination with Bluecoat Proxy SG for caching and user authentication. Bluecoat describes on his knowledgbase KB3323 the differences for session timeouts on proxie servers and firewalls.
From our proxies I have many retransmissions to the Internet and so I want to change my timout settings on the PA in a bluecoat conform value. Where I have to change the timeout seitting?
On session timeouts (and which value)
Or on application settings
greetings from germany
Solved! Go to Solution.
Both will work.
You can override the default timeout for ALL Applications (1st window)
and/or for a specific Application (2nd window)
Keeping in mind the first window that you have displayed is a global change and will effect all the session. The change will override the default timeout for ALL Applications.
The second windows display is for a particular application. The change would apply to specific Application. So it would be important to know if you want to change it globally or just for a particular application.
Let us know if this helps.
My question was a little bit imprecise. I know the differences between application and timeout settings. My intensions are more which value in timeout settings I have to change? Discard TCP or TCP or TCP wait? The PA help is very futile and says "Specify timeouts in seconds for each of the categories. Ranges and defaults are listed." Nice.
I changed alle TCP settings to 900s (except TCP itself) and in application I changed it to 900s too. But it doesn't work.
I have "non-syn-tcp" application still.
In my session browser, the session timeout is shown as 30s still.
If you are getting non-syn-tcp that tcp handshake is not happening properly and may you are seeing ack for a packet which had not syn.
You can enable "set session tcp-reject-non-syn no" command from the operational mode. This will allow non-syn traffic in you environment. However if you want this setting to be permanent you would need to run the "set deviceconfig setting session tcp-reject-non-syn" command from the configuration mode. Usually this is not recommended unless you have a specific problem in your environment e.g asymmetric routing.
As far as the session timeout goes there are few more timers which you can see under "show session info"
TCP default timeout: 3600 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP session timeout after FIN/RST: 30 secs
UDP default timeout: 30 secs
ICMP default timeout: 6 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
Session timeout in discard state:
TCP: 90 secs, UDP: 60 secs, other IP protocols: 60 secs
Let us know if this helps.
Did this get resolved finally ? If yes what settings were modified I am facing similar issues and kinda urgent if someone can respond back pls.
Users----Bluecoat Child------Palo Alto (FW)-----Parent Bluecoat
Having intemittent disconnects.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!