On Mon, Apr 5, 2010 at 8:55 AM, Chris Buechler <[email protected]> wrote:
> On Tue, Mar 30, 2010 at 6:25 PM, Oliver Hansen <[email protected]> > wrote: > > I tried posting this specifically before and didn't have any luck ( > > http://www.mail-archive.com/[email protected]/msg19099.html ) but now > that > > I have contacted Microsoft I have a few more details to ask the questions > > with. Here is the basic scenario: > > > > - On the server, TCP session timeouts have been lowered to 5 minutes > > (through a reg edit that MS support had me make) > > - The client application has been shut down and netstat shows no > connections > > open to the server > > - The server still shows many (up to 30) connections to the client long > > after the 5 minute timeout window > > - The pfSense (1.2.3-RC3) GUI Diagnostics -> States table shows sessions > > between the client and server as ESTABLISHED:ESTABLISHED > > - The client and server are in two different subnets connected by an > IPSec > > VPN > > > > Now, is there anything in pfSense that would keep a session open even > after > > the client has closed it and the server's TCP timeout window has passed? > > Any connection in the state table will be open until the firewall's > state timeout (which you can specify more granularly on a per-rule > basis if desired), or the connection is closed by the client or > server. The timeout on the servers have nothing to do with the > firewall, unless they actually close the TCP connection, not just drop > it, at the end of that timeout. > > Without a pcap showing the actual traffic, there's no telling what's > happening. The only sure thing is neither the client or server is > closing the TCP connection if you see it as ESTABLISHED:ESTABLISHED. > > > Thank you for the information Tim and Chris. It definitely helps to give me more information to troubleshoot with. Knowing I can alter the state timeout in a firewall rule is something I did not know and is a great help. Is there somewhere I can look to find the default? I tried looking in the pf.conf (I think that was the file) the other day but I wasn't sure what it would be called or if it would be in there if it was just the default. I did see the Optimization rules under System -> Advanced but I am wary of changing that for fear of breaking other things and I doubt that is the cause or I probably would have found others with the same problem. I will do some more checking with monitoring the states on the firewall, client and server then get back with MS to try and figure out this issue. Thanks again for the info and help.
