This time of 5 seconds might be given to allow the session to close 'normally'. A segment sent by a TCP 'peer' (say Host A) with the FIN bit set, indicates closing of a connection in one direction only. The other end (Host B) which receives the segment, acknowledges this segment. Now, the session is closed in one direction only. No more data can flow from Host A to Host B (except acknowledgement packets). However, data can continue to flow in the other direction, from Host B to Host A, till Host B too decides that it would like to close the session to A. That is when B sends a segment with the FIN bit set to Host A. It is only now that TCP deletes it's record of the coneection.
I guess, on receiving a FIN segment, the firewall expects the session to be closed in the other direction too. What it might be doing is to give 5 secs for the process to be over, after which it forces the record to be cleared. I feel, this does make sense from the security point of view, where sufficient time is given for normal termination of connection after which the connection is cleared any way.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...