What does TCP Session Timeout after FIN/RST mean?
Resolution
Overview
The "TCP session timeout after FIN/RST" for a Palo Alto Networks device is effectively the TIME-WAIT state duration value. The show session info command on the Palo Alto Networks device will display the value as shown:
> show session info
--------------------------------------------------------------------------------
Session timeout
TCP default timeout: 3600 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP session timeout after FIN/RST: 30 secs <<
UDP default timeout: 30 secs
ICMP default timeout: 6 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
Session timeout in discard state:
TCP: 90 secs, UDP: 60 secs, other IP protocols: 60 secs
--------------------------------------------------------------------------------
Details
The endpoint that sends the first FIN goes into the TIME_WAIT state, as it is also the endpoint that sends the final ACK. This endpoint maintains the connection state and has enough information to retransmit the final ACK in the event the other endpoint's FIN or the final ACK is lost.
The duration of the TIME_WAIT state is 2*MSL (Maximum Segment Lifetime). The maximum amount of time a packet can wander around a network is assumed to be MSL seconds. The factor of 2 is for the round-trip. The originally recommended value (RFC 1337) for MSL was 120 seconds. Berkeley-derived implementations normally use 30 seconds.
Today, the TIME_WAIT value varies from vendor to vendor, and ranges from 30 to 60 seconds for general network devices. The Palo Alto Networks devices have a TIME_WAIT value of 30 seconds.
Configuration options
In PAN-OS 4.1.x and 5.0.x, the TIME_WAIT can be modified by running the following CLI command:
> set session timeout-tcpwait <1-60>
In PAN-OS 4.1.14 and 5.0.6, the timer has been extended up to 10 minutes:
> set session timeout-tcpwait <1-600>
This setting can also be modified from the WebGUI under Device > Setup > Session > Session Timeouts and TCP wait:
See Also
See RFC 1337, TIME_WAIT Assassination Hazards in TCP, for more details.
owner: kkondo