Description
Occasionally, it is possible to encounter an application that requires the use of TCP half-close.
This means that one end will communicate the following:
Sending data is done, so it is necessary to send a FIN packet (FIN flag is enabled) to the other end.
(and yet)
It is necessary to receive data from the other end until the peer sends me a FIN packet.
Refer to '13.2.1 TCP Half-Close' of book 'TCP/IP Illustrated, Volume 1 Second Edition Kevin R. Fall'.
The below example illustrates the case in which it is the client who initiates the half-close but the server could also initiate half-close.
Client Server(port1701)
{ ....... }
Client Initiates Close{[FIN,ACK]------------------> }
{<------------------------[ACK]}
Connection Is Half-Closed{<------------------[more data]}
{[Data ACK]------------------->}
{ ....... }
Connection's {<--------------------[FIN,ACK]}
"Other Half" Closes{[ACK]------------------------>}
By default in FortiOS, tcp-halfclose-timer is 120 seconds*.
* Factory default values can change from one firmware version to the next.
That means the connection from server to client will also be closed 2 minutes after the initial FIN packet is sent by the client.
After 2 minutes, the FortiGate will drop traffic from the server to client and debug flow output will show the message 'no session matched', reflecting the fact that the session no longer exists in the session table.
2015-01-07 13:57:42 id=20085 trace_id=1203308 func=vf_ip4_route_input line=1596 msg='find a route: flags=00000000 gw-192.168.245.33 via lan'
2015-01-07 13:57:42 id=20085 trace_id=1203308 func=fw_forward_dirty_handler line=310 msg='no session matched'
Solution
To support an application that requires TCP half-close operation capability, the administrator can extend the TCP-half-close-timer.
The following steps show how to extend the TCP half-close timer for port 7701.
(1) Create a custom firewall service for TCP port 7701
Set the expected tcp-halfclose-timer for the new custom service.
# config firewall service custom
edit "TCP-7701"
set tcp-portrange 7701
set tcp-halfclose-timer 3600
next
end
(2)Since EITHER END CAN initiate the TCP half-close, apply service 'TCP-7701' to traffic initiated in either direction.
# config firewall policy
edit 55
set srcintf "lan"
set dstintf "port7"
set srcaddr "kca-iweb_lan"
set dstaddr "Data_Spider"
set action accept
set schedule "always"
set service "TCP-7701"
set logtraffic all
next
end
# config firewall policy
edit 54
set srcintf "port7"
set dstintf "lan"
set srcaddr "Data_Spider"
set dstaddr "kca-iweb_lan"
set action accept
set schedule "always"
set service "TCP-7701"
set logtraffic all
next
end
Note.
To extend tcp-halfclose-timer for all tcp sessions, this can be achieved by modifying the global settings.
# config system global
set tcp-halfclose-timer ?
tcp-halfclose-timer <----- Enter an integer value from <1> to <86400> (default = <120>).
end
