TCP session timeout behaviour

cancel
Showing results for 
Search instead for 
Did you mean: 

TCP session timeout behaviour

L3 Networker

Hello,

 

I have a question about the mechanism of TCP session timeout on PA FW. Assuming that default TCP timeout on PA device is 3600 seconds. What happen after a TCP session is idle after 3600 seconds ? Does the FW send TCP RST at each endpoints ? Or does it just delete the session from its sessions table ? And in this case if a new packet is sent from either endpoint, is it dropped by the FW ?

 

To specify the context, we are currently trying to troubleshoot some kind of disconnection issues related to one particular custom-built application. This is a common 2-tier application (Client / Server) that relies on TCP session on a dedicated listening port. Users complain that after some delay of inactivity (let's say after 2 hours or even more) the application crashes (there is a common message "connection failure..."). In my mind, since the FW TCP timeout is set to 3600 seconds, if the application session is open for more than 1 hour without any activity it will close the connection.

 

Also I performed a Packet Capture on the FW and what I notice is that a TCP (FIN,ACK) is sent by the client to the server over 8000 seconds after the last packet in this particular session... And I see it at the receive stage as well as at the transmit stage. So am I a little bit confused.

2 REPLIES 2

L4 Transporter

Hello

The firewall will treat a TCP session where no packet was sent for 1h as dead (and not sending a packet to client or server). If one of the participants (client, server) send a packet, it will not be allowed (no established session).

With application override you could increase the timeout. If the issue still persist, changes are high it is not related to the firewall.

JoergSchuetter_0-1622815698777.png

 

JoergSchuetter_1-1622815709895.png

 

@Laurent_Dormond 

If you have already installed pan-os 9.1.x you can simply create a service object to increase the tcp timeout for that connection. (Doing this with an application override policy is no longer required)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!