Is there any thing on UI where i can set idle time out of tcp connection.And what is default value of astaro gateway 8.0 for idle tcp connection timeout.
I moved this discussion from its original attachment to a four-year-old thread. I'm glad you remembered that Barry. I knew I'd seen it recently, but couldn't find it quickly on the KnowledgeBase.
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
Hi
I have configured ip_conntrack_tcp_timeout_established" =900 sec
still if connection remains idle for more than 900 sec then also not dropped by firewall
My configuration are
masquerading rule between client and server
client in internal network and server is in public network
in packet filter Allow all packet using any service fro
you also have to enable "Use strict TCP session handling" under Network Security >> Firewall >> Advanced (nf_conntrack_tcp_be_liberal). Otherwise the connection is picked up and allowed again after client sends another data packet.
Hi
i have enable the Use "strict TCP session handling" from Network Security >packet filter>advances.and on firewall console showing nf_conntrack_tcp_be_liberal=0;
still tcp idle connection is not broken by firewall after 900 sec
my other settings are:
1)packet filter:allow from client to server and server to client.
2)NAT>Mosquerading: Internal (Network) to External interface
I have not restarted the firewall machine after changing the value strict TCP session handling"
Tried to reproduce with 8.300 but cant verify the issue.
If you enter "conntrack -L" on the console you see all conntracks. Grep for the entry you monitor. Third parameter is the allowed lifetime, which decrements.
ip_conntrack_tcp_timeout_established only affects new conntracks. You don't have to reboot.
Please try again and verify that your client is not re-establishing a new connection.
Hi
My concern is that i have to see how astaro is breaking idle connection
if my idle timeout is 15 min.In this condition can we verify from wieshar
does firewall sends any reset packet to client .
hi
when i configured ip_conntrack_tcp_timeout_established=5 min or 30 sec
then connections are broken by firewall but if i do it 15 min.Then though i m not sending any data from client or from server still there is some communication happenig(visible in wireshark) between client and server after every 5 min and connection is not broken by firewall.
Is there need to change any other vale if i want that tcp idle connection get dropped by firewall
hi Ulrich
Hi
Ulrich i have following observations:
1)output of conntrack-L for 3 times
6621 Established src client dst sport dport packets=856 bytes=39443 src= dst= sport dport packets=855 bytes=38331[Assured]
mark=0 use=0
b)6602 Established src client dst sport dport packets=859 bytes=39443 src= dst= sport dport packets=858 bytes=38443[Assured]
mark=0 use=0
c)6877 Established src client dst sport dport packets=860 bytes=39443 src= dst= sport dport packets=859 bytes=38487[Assured]
mark=0 use=0
2)nf_conntrack_tcp_be_liberal=0
3)There is persistent connection maintained ie no coonection break
firewall having above mentioned settings
is there any other configuration required to make ip_conntrack_tcp_timeout_established" =900 sec effective
no data is send from server to client or client to server.
The first 6 on each conntrack line is separated from the following three numbers? Should be, because you have a maximum of 900 seconds for established TCP seconds.
If yes and the three lines are in chronological order, then there is traffic going over you TCP connection. Note: Even if your application is not sending any data, there is a technology called TCP keepalive, which keeps the connection alive.
Quote