Solved: CSS TCP timeouts ?

nickyh_is · ‎05-15-2006

Hi, My PIX firewall has identfied that connection between a gateway and a VIP which is kept alive by 45 sec keepalives gets a connection timeout message after 8-9 hrs. This is because it suddenly see's the keepalives being sent from the real IP address (same port numbers) of an application server behind the CSS, not the VIP address. So my question is does the CSS have a address translation table which suddenly times out?

Many thanks

Nicky

Gilles Dufour · ‎05-15-2006

yes, the CSS has a tcp timeout of 8sec for HTTP and 16 sec otherwise.

A connection marked idle is not removed immediately so.

It will go in a list of resources that can be reused and when its turn comes, the CSS will delete the flow to reuse the resource.

So, in your case, it takes 8 hours to get out of the list.

There is a command to increase the timeout.

If this is a CSS11500, the command is 'flow-timeout-multiplier'. If you have an application keepalive of 45 sec, you should use a multiplier of 4 (=> 4 * 16 = 64 > 45).

Gilles.

View solution in original post

Gilles Dufour · ‎05-15-2006

yes, the CSS has a tcp timeout of 8sec for HTTP and 16 sec otherwise.

A connection marked idle is not removed immediately so.

It will go in a list of resources that can be reused and when its turn comes, the CSS will delete the flow to reuse the resource.

So, in your case, it takes 8 hours to get out of the list.

There is a command to increase the timeout.

If this is a CSS11500, the command is 'flow-timeout-multiplier'. If you have an application keepalive of 45 sec, you should use a multiplier of 4 (=> 4 * 16 = 64 > 45).

Gilles.

nickyh_is · ‎05-16-2006

Many thanks Giles, this sounds like it might be the answer, we are running software version 5.01 (old i know) Is it available in this version ? I cant find any configuration guides or command references ?

many thanks

Nicky

Gilles Dufour · ‎05-16-2006

if you are running 5.01, you have an old software and an old hardware. It's the CSS first generation.

The principle stays the same.

The solution is different.

You need to identify which port is being used by the server and change the idle timeout for all connections using this port.

On this device it is pert port and not per rule as in the CSS 2nd generation.

The command is 'flow port1 timeout '.

You can have maximum 10 commands like this.

The timeout is in seconds from 0-600.

In your case, you can configure 60 sec.

Regards,

Gilles.

nickyh_is · ‎05-17-2006

Thanks Giles, it looks like this command isnt available in the version. I have found a 'flow permanant port' command which I guess would stop the so called 'idle' connections getting removed but what implications does this have on the CSS if it cant reclaim the resources ? Also, what happens to flows that are legitimately torn down, will they get cleaned up or hog resources ?

thanks

Nicky

Gilles Dufour · ‎05-17-2006

Nicky,

the command I mentioned was introduced with version 6.10.

The flow permanent command is as you said to prevent a flow to be marked idle.

If the CSS sees the flow is terminated by either the client or the server, the CSS will still remove the flow.

So the problem is only if the connection gets established but the client or server never sends a FIN or RST.

So, this should not be a problem to use this command. You can monitor the status of the resources to make sure there is no *leak*. The command is 'flow stats' from llama mode.

Regards,

Gilles.