06-04-2021 06:25 AM - edited 06-04-2021 06:57 AM
I have a question about the mechanism of TCP session timeout on PA FW. Assuming that default TCP timeout on PA device is 3600 seconds. What happen after a TCP session is idle after 3600 seconds ? Does the FW send TCP RST at each endpoints ? Or does it just delete the session from its sessions table ? And in this case if a new packet is sent from either endpoint, is it dropped by the FW ?
To specify the context, we are currently trying to troubleshoot some kind of disconnection issues related to one particular custom-built application. This is a common 2-tier application (Client / Server) that relies on TCP session on a dedicated listening port. Users complain that after some delay of inactivity (let's say after 2 hours or even more) the application crashes (there is a common message "connection failure..."). In my mind, since the FW TCP timeout is set to 3600 seconds, if the application session is open for more than 1 hour without any activity it will close the connection.
Also I performed a Packet Capture on the FW and what I notice is that a TCP (FIN,ACK) is sent by the client to the server over 8000 seconds after the last packet in this particular session... And I see it at the receive stage as well as at the transmit stage. So am I a little bit confused.
06-04-2021 07:10 AM
The firewall will treat a TCP session where no packet was sent for 1h as dead (and not sending a packet to client or server). If one of the participants (client, server) send a packet, it will not be allowed (no established session).
With application override you could increase the timeout. If the issue still persist, changes are high it is not related to the firewall.
06-04-2021 08:30 AM
If you have already installed pan-os 9.1.x you can simply create a service object to increase the tcp timeout for that connection. (Doing this with an application override policy is no longer required)
07-28-2022 04:25 AM
The documentation says that the firewall will close a connection, which I take to mean it will send a TCP RST. The reply above says it will start dropping packets. Am I reading too much into the documentation?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!