How Does a Palo Alto Networks Device Handle TCP Half-Close Connections?
Resolution
TCP Half-Close connections are when a server or client sends a FIN when it is done sending data, but the other side is not finished sending data. Due to this condition, the other side continues to send data. In this scenario, as soon as the the Palo Alto Networks firewall sees the FIN from either side, the session goes to TCP-WAIT mode which resets the session time-to-live to 30 seconds. The session will remain in the ACTIVE state for 30 seconds and the session is closed afterwards. Thus, further data sent by the other side after these last 30 seconds will be discarded causing applications to fail.
If applications handled in this manner are causing the sessions to fail, the tcp-wait timer can be increased:
- Web UI
- Go to Device > Setup > Session
- Edit the Session Timeouts section
- Edit the value for "TCP wait"
- CLI
# set deviceconfig setting session timeout-tcpwait <time-in-seconds>
It is recommended to be cautious with this setting as it may cause an increase in the use of the session table, as more sessions may remain open and consume session table entries.
owner: sdurga