Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

In the PIX firewall what is the half-closed TCP time out,

What is considered as an half closed connection.

I have a pix that I had to setup timeout for conn and half closed to never timeout because I have users connecting using SAP GUI which create one connection and then the session are internal to the connection so they can be logged in for the full day.

It is causing a problem with printer connection not timing out when the PIX does not receive the FIN from the print server for one raison or another. the connection stays open, but the servers thinks that the connetcion has been closed and try to connect to the print server via the same port and the pix do not create a connection as it still see one open connection. Once I clear the Xlate for this host, I can see that the connection has been open for 24 hours.

I need to configure the timeout value without disconnecting my online SAP GUI users.

Thanks in advance

Cisco Employee

Re: In the PIX firewall what is the half-closed TCP time out,

A half-closed session is one where the PIX has seen a FIN in one direction but not the other for whatever reason. The PIX will timeout the connection in the timeout period without waiting for the other FIN.

Not sure what you can do here though, there's no way to change this timeout for some hosts and not others. You probably want to look more at why your print servers aren't sending a FIN (or the PIX isn't seeing it).

New Member

Re: In the PIX firewall what is the half-closed TCP time out,

Thank you for you response.

I'm dealing with a client that has a very complex network. I need to experiment with the timeout setting to see if I can set them up to a time long enough not to affect the SAP GUI user and short enough to clear the potential printer problem.

You may be to help with the following.

If I do a show conn on the PIX I get the following response.

Can you tell me what the UIOB stand for, I have not found the description in the doco.



# sh conn

3487 in use, 3671 most used

TCP out in idle 665:49:35 Bytes 0 flags U

TCP out in idle 0:17:08 Bytes 25889 flags UIOB

TCP out in idle 0:09:19 Bytes 33560 flags UIOB

TCP out in idle 0:12:43 Bytes 3181 flags UIOB

TCP out in idle 342:06:10 Bytes 149698 flags UIOB

TCP out in idle 1018:02:36 Bytes 8216 flags UIO

TCP out in idle 401:54:01 Bytes 186915 flags UIO

TCP out in idle 499:50:37 Bytes 83836 flags UfIO

Cisco Employee

Re: In the PIX firewall what is the half-closed TCP time out,

There was an ealier posting regarding these flags.

Connection Flags


| Flag |Description |


| U | up |

| f | inside FIN |

| F | outside FIN |

| r | inside acknowledged FIN |

| R | outside acknowledged FIN |

| s | awaiting outside SYN |

| S | awaiting inside SYN |

| M | SMTP data |

| H | HTTP get (not used) |

| | SKINNY (not used) |

| I | inbound data |

| O | outbound data |

| q | SQL*Net data |

| n | nailed connection (no supported) |

| d | dump |

| P | inside back connection |

| E | outside back connection |

| G | group |

| p | replicated (unused) |

| a | awaiting outside ACK to SYN |

| A | awaiting inside ACK to SYN |

| B | initial SYN from outside |

| R | RPC |

| H | H.323 |

| T | SIP connection |

| m | SIP media connection |

| t | SIP transient state |

| D | DNS |


Hope this helps,


CreatePlease to create content