4 Replies Latest reply on Jan 18, 2016 8:15 AM by thyvarin

    Timeout for VPN Sessions

    ryanjohnstone

      Hi there, we are seeing sessions for clients being timed out on our stonefsoft NGF with the following message

       

      "Connection timeout in state TCP_ESTABLISHED"

       

      This is occuring for clients connected in via both an IPSec VPN session and for clients connecting over an IPSec Site to Site tunnel.  So users are logged in and have outlook running, it will then pop up a message reporting "lost connection to Exchange server, re-connecting...."  So for some reason the connection is being timed out.  The timeout seems to occur after 30 mins.  I have looked at the idle timeout setting to see if this can be changed but there is not one for state TCP_ESTABLISHED.

       

      Can any one offer any advice as to how we stop the NGF timing out these sessions?

       

      Thanks

       

      Ryan

        • 1. Re: Timeout for VPN Sessions
          thyvarin

          Default idle timeout for TCP connections (in ESTABLISHED state) in NGFW is 30 minutes so users in your case leave the Outlook open for 30+ minutes, and then NGFW removes the connection from state table when it hasn't seen any packets for connection within 30 minutes. When user tries to use Outlook after this, the connection to Exchange server will not work as NGFW drops the packets as it doesn't have connection in state table anymore.

           

          It is possible to define global timeouts in firewall advanced properties, but since this would globally affect all TCP connections in established state, it's better to define idle timeout in the Access Rule that allows the traffic:

          http://help.stonesoft.com/onlinehelp/StoneGate/SMC/5.10.0/GUID-FFEFCBF8-07BA-46B 2-87FF-B22778E81D4C.html

           

          It's important that the rules, where you increase the idle timeout, only match traffic that requires longer idle timeout. The connection state table is kept in firewall memory and each connection takes small amount of memory. If lots of connections get long idle timeout unnecessarily this can lead to increased memory usage, and in worse case it could cause memory to run out and FW to crash.

           

          Especially important is to make sure that ICMP and UDP traffic does not get unnecessarily long idle timeout as they don't have similar connection closing mechanism as TCP has. Thus FW will have to keep ICMP and UDP connections in state table for entire idle timeout. E.g. DNS connection is usually just one query from client to server, and reply from server, and after that connection is done. It would be quite stupid to keep that connection in FW memory for e.g. 4 hours.

           

          Thus in your case, if the rule that currently allows Outlook-Exchange traffic matches also ICMP and UDP traffic, it would be best to add new rule for Outlook-Exchange traffic above current rule, and increase idle timeout in that rule to e.g. 2 hours or whatever you think is enough to prevent user's connections from timing out.

           

          BR,

          Tero

          • 2. Re: Timeout for VPN Sessions
            ryanjohnstone

            Thanks for the response Tero, will give this a go taking care to isolate on the affected traffic.

             

            Ryan

            • 3. Re: Timeout for VPN Sessions
              ryanjohnstone

              Hi Tero, looks this has fixed the issue...i need to be able to view the impact on has on memory though in order to put this info production, can you advise on the commands / tools to use for this.

               

              Thanks

               

              Ryan

              • 4. Re: Timeout for VPN Sessions
                thyvarin

                Hi,

                 

                You can check the memory usage with linux commands like free and top. Here's example of free output:

                 

                             total       used       free     shared    buffers     cached

                Mem:       8087700    5108100    2979600          0     427028    1288356

                -/+ buffers/cache:    3392716    4694984

                Swap:      1932280          0    1932280

                 

                In above second line tells that about 3.4 GB of memory is in use (http://www.linuxnix.com/find-ram-size-in-linuxunix/).

                 

                BR,

                Tero