This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Default TTL & RST Logging Reduction

All-

I encountered a windows 7 32-bit PC on the network generating an excessive number of firewall RST log entries. Other devices did not exhibit the same behavior. The actual cause was windows default TTL being at 128. After changing the value to 64 excessive RST logging disappeared. Othere devices on the network have the TTL set at 64. One point to keep in mind this will not entirely eliminate RST logging but has certainly reduced the number of RST entries. I hope this information helps others who have experienced this issue. The link below shows the default TTL values of various operating systems. My thinking is based on information contained in the second link below. Conntrack will maintain an open connection using a value of 120 (ip_conntrack_tcp_timeout_fin_wait" => 120). Windows uses a default of 128 exceeding the 120 value. While I could be off base, there is a definate reduction in the number of RST packets logged.

https://subinsb.com/default-device-ttl-values

https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/84714/traffic-from-ec2-54-251-46-51-ap-southeast-1-compute-amazonaws-com

Thanks,

Jim

This thread was automatically locked due to age.

sachingurung over 8 years ago

Hi Jim and Welcome to the Sophos Community,

Thanks for the information and keep posting. I hope that helps someone.

Cheers
Cancel
Vote Up 0 Vote Down

Cancel
scottj_01 over 8 years ago in reply to sachingurung

Hi Sachin,

Your welcome! I too hope it helps somone as it took a little time to figure out.

Thanks,

Jim
Cancel
Vote Up 0 Vote Down

Cancel