Palo Alto Networks Knowledgebase: What does TCP Session Timeout after FIN/RST mean?

What does TCP Session Timeout after FIN/RST mean?

10304
Created On 02/07/19 23:58 PM - Last Updated 02/07/19 23:59 PM
Mobile Network Infrastructure
Resolution

Overview

The "TCP session timeout after FIN/RST" for a Palo Alto Networks device is effectively the TIME-WAIT state duration value. The show session info command on the Palo Alto Networks device will display the value as shown:

> show session info

--------------------------------------------------------------------------------

Session timeout

  TCP default timeout:                           3600 secs

  TCP session timeout before SYN-ACK received:      5 secs

  TCP session timeout before 3-way handshaking:    10 secs

  TCP session timeout after FIN/RST:               30 secs   <<

  UDP default timeout:                             30 secs

  ICMP default timeout:                             6 secs

  other IP default timeout:                        30 secs

  Captive Portal session timeout:                  30 secs

  Session timeout in discard state:

    TCP: 90 secs, UDP: 60 secs, other IP protocols: 60 secs

--------------------------------------------------------------------------------

Details

The endpoint that sends the first FIN goes into the TIME_WAIT state, as it is also the endpoint that sends the final ACK. This endpoint maintains the connection state and has enough information to retransmit the final ACK in the event the other endpoint's FIN or the final ACK is lost.

The duration of the TIME_WAIT state is 2*MSL (Maximum Segment Lifetime). The maximum amount of time a packet can wander around a network is assumed to be MSL seconds. The factor of 2 is for the round-trip. The originally recommended value (RFC 1337) for MSL was 120 seconds. Berkeley-derived implementations normally use 30 seconds.

Today, the TIME_WAIT value varies from vendor to vendor, and ranges from 30 to 60 seconds for general network devices. The Palo Alto Networks devices have a TIME_WAIT value of 30 seconds.

Configuration options

In PAN-OS 4.1.x and 5.0.x, the TIME_WAIT can be modified by running the following CLI command:

> set session timeout-tcpwait <1-60>

In PAN-OS 4.1.14 and 5.0.6, the timer has been extended up to 10 minutes:

> set session timeout-tcpwait <1-600>

This setting can also be modified from the WebGUI under Device > Setup > Session > Session Timeouts and TCP wait:

tcpwait.jpg

See Also

See RFC 1337, TIME_WAIT Assassination Hazards in TCP, for more details.

owner: kkondo



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWDCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language