Re: In the PIX firewall what is the half-closed TCP time out,

syves · ‎10-31-2002

What is considered as an half closed connection.

I have a pix that I had to setup timeout for conn and half closed to never timeout because I have users connecting using SAP GUI which create one connection and then the session are internal to the connection so they can be logged in for the full day.

It is causing a problem with printer connection not timing out when the PIX does not receive the FIN from the print server for one raison or another. the connection stays open, but the servers thinks that the connetcion has been closed and try to connect to the print server via the same port and the pix do not create a connection as it still see one open connection. Once I clear the Xlate for this host, I can see that the connection has been open for 24 hours.

I need to configure the timeout value without disconnecting my online SAP GUI users.

Thanks in advance

gfullage · ‎10-31-2002

A half-closed session is one where the PIX has seen a FIN in one direction but not the other for whatever reason. The PIX will timeout the connection in the timeout period without waiting for the other FIN.

Not sure what you can do here though, there's no way to change this timeout for some hosts and not others. You probably want to look more at why your print servers aren't sending a FIN (or the PIX isn't seeing it).

syves · ‎10-31-2002

Thank you for you response.

I'm dealing with a client that has a very complex network. I need to experiment with the timeout setting to see if I can set them up to a time long enough not to affect the SAP GUI user and short enough to clear the potential printer problem.

You may be to help with the following.

If I do a show conn on the PIX I get the following response.

Can you tell me what the UIOB stand for, I have not found the description in the doco.

Thanks

Yves

# sh conn

3487 in use, 3671 most used

TCP out 203.16.40.7:8080 in 150.173.247.9:4640 idle 665:49:35 Bytes 0 flags U

TCP out 210.9.191.178:57505 in 150.173.241.50:3299 idle 0:17:08 Bytes 25889 flags UIOB

TCP out 128.250.233.2:55543 in 150.173.241.50:3299 idle 0:09:19 Bytes 33560 flags UIOB

TCP out 203.4.161.99:1044 in 150.173.242.140:5055 idle 0:12:43 Bytes 3181 flags UIOB

TCP out 203.16.40.75:2404 in 150.173.254.9:23 idle 342:06:10 Bytes 149698 flags UIOB

TCP out 10.30.68.45:23 in 150.173.234.85:1029 idle 1018:02:36 Bytes 8216 flags UIO

TCP out 100.6.1.23:3200 in 150.173.100.45:1234 idle 401:54:01 Bytes 186915 flags UIO

TCP out 144.134.167.126:1214 in 150.173.234.201:1220 idle 499:50:37 Bytes 83836 flags UfIO

Nairi Adamian · ‎10-31-2002

There was an ealier posting regarding these flags.

Connection Flags

+------+-------------------------------------------------------+

| Flag |Description |

+------+-------------------------------------------------------+

| U | up |

| f | inside FIN |

| F | outside FIN |

| r | inside acknowledged FIN |

| R | outside acknowledged FIN |

| s | awaiting outside SYN |

| S | awaiting inside SYN |

| M | SMTP data |

| H | HTTP get (not used) |

| | SKINNY (not used) |

| I | inbound data |

| O | outbound data |

| q | SQL*Net data |

| n | nailed connection (no supported) |

| d | dump |

| P | inside back connection |

| E | outside back connection |

| G | group |

| p | replicated (unused) |

| a | awaiting outside ACK to SYN |

| A | awaiting inside ACK to SYN |

| B | initial SYN from outside |

| R | RPC |

| H | H.323 |

| T | SIP connection |

| m | SIP media connection |

| t | SIP transient state |

| D | DNS |

+--------------------------------------------------------------+

Hope this helps,

-Nairi