This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FW dropping ACK, RST/ACK & FIN/ACK packets though packets are from valid sessions

Does the ASG function in this manner?

When the firewall receives a TCP RST for an existing session it immediately clears the session from the session table. This means there is no longer a valid session for the TCP RST/ACK to pass through. Hence, the firewall will treat the TCP RST/ACK as a non-SYN first packet and drop it.

Thanks,

Jim

This thread was automatically locked due to age.

Parents

0 William Warren over 15 years ago

is the Astaro not obeying the http keep alive then?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 William Warren over 15 years ago

is the Astaro not obeying the http keep alive then?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BarryG over 15 years ago in reply to William Warren

is the Astaro not obeying the http keep alive then?

I would assume that ANY tcp traffic on the session would renew the expiration timers on Astaro.

I'm guessing the real problem lies somewhere in the values below:

Web Servers (CentOS and Ubuntu):
$ cat /proc/sys/net/ipv4/tcp_keepalive_time
7200

Astaro 7.306:
# cd /proc/sys/net/ipv4/netfilter
# cat ip_conntrack_tcp_timeout_close
10
# cat ip_conntrack_tcp_timeout_close_wait
60
# cat ip_conntrack_tcp_timeout_established
432000
# cat ip_conntrack_tcp_timeout_fin_wait
120
# cat ip_conntrack_tcp_timeout_last_ack
30
# cat ip_conntrack_tcp_timeout_max_retrans
300
# cat ip_conntrack_tcp_timeout_syn_recv
60
# cat ip_conntrack_tcp_timeout_syn_sent
120
# cat ip_conntrack_tcp_timeout_time_wait
120

but I'm not sure which of these values would need to be modified, or if I'm barking up the wrong tree; 432000 > 7200.

Barry
Cancel
Vote Up 0 Vote Down

Cancel