Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
225
Views
0
Helpful
2
Replies

TCP timeout of 1 hour before can be reconnected (using same ip/port pairs)

s.yeong
Level 1
Level 1

‎11-18-2002 02:02 AM - edited ‎03-09-2019 01:05 AM

The TCP server and client is separated by a PIX firewall. When TCP client is physically disconnected and then reconnected after 30 minutes (TCP client software will re-try every 20secs if reconnection failed again, using same IP/port), it will be connected sucessfully only about an hour later.

Checked on the server and client systems that the TCP state transition is functioning correctly (i.e. no CLOSE_WAIT or FIN_WAIT on the server and client system). The SYN request from the client did reach the firewall LAN.

Check on the PIX firewall using "show conn" and the flag always shows "U" i.e UP irregardless whether there's TCP connection or not. Is this the correct command to use to check active connection?

Will appreciate if anyone has any idea what could be the possible cause for above problem in relation to PIX firewall.

Thanks in advance.

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎11-19-2002 08:23 PM

Are you saying that after you disconnect the client, then reconnect it a while later, it takes about an hour for the connection to be successful?

If the client sends out a new SYN packet with the same port numbers (and the same sequence numbers?), but the PIX already has an UP conection for this, I would imagine the PIX probably drops the packet. It will continue to do this until the TCP connection in the PIX times out, then a new one will be built when it sees the SYN packet again. You could verify this by looking at the syslog, you'll see messages that describe exactly what's going on.

0 Helpful

s.yeong
Level 1
Level 1
In response to gfullage

‎11-19-2002 08:54 PM

>>Are you saying that after you disconnect the client, then reconnect it a while >>later, it takes about an hour for the connection to be successful?

Yes.

>>If the client sends out a new SYN packet with the same port numbers (and >>the same sequence numbers?), but the PIX already has an UP conection

Yes. Same port number and seq number. And the PIX still hv the UP connection.

>>for this, I would imagine the PIX probably drops the packet. It will continue >>to do this until the TCP connection in the PIX times out, then a new one will >>be built when it sees the SYN packet again. You could verify this by looking >>at the syslog, you'll see messages that describe exactly what's going on.

The PIX is not under my control ....so can't easily check the syslog. But I agree with what you suspect. Believe "timeout conn" shall solve my problem then (found that the default connection timeout is 1 hour).

Thanks a lot for your help!.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents