Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luis_Miguel_Mig
Specialist

rad - connections to cws.checkpoint.com stay in close_wait for 180min

R80.40 take 94

I have noticed in the smartconsole logs that about 10 connections per hour sourced from the gateway to cws.checkpoint.com get dropped by the firewall itself saying  that "first pack isn't syn" tcp flags FIN-ACK.

After digging a bit I noticed that the gateway receives the FIN, sends the FIN-ACK but it only sends the FIN 3 hours later by then the tcp entry is not in the tcp sessions table and therefore the gateway drops the connection.

With netstat I can see that those connections are likely opened with the rad process

[Expert@fw1:0]# netstat -apn
tcp 1 0 1.1.1.1:55962 1.1.1.2:80 CLOSE_WAIT 13470/rad
tcp 1 0 1.1.1.1:55736 1.1.1.2:80 CLOSE_WAIT 13470/rad
tcp 1 0 1.1.1.1:55734 1.1.1.2:80 CLOSE_WAIT 13470/rad
tcp 1 0 1.1.1.1:55700 1.1.1.2:80 CLOSE_WAIT 13470/rad
tcp 1 0 1.1.1.1:55960 1.1.1.2:80 CLOSE_WAIT 13470/rad
tcp 1 0 1.1.1.1:55862 1.1.1.2:80 CLOSE_WAIT 13470/rad
tcp 1 0 1.1.1.1:55928 1.1.1.2:80 CLOSE_WAIT 13470/rad
tcp 1 0 1.1.1.1:55896 1.1.1.2:80 CLOSE_WAIT 13470/rad

I wonder why the gateways delays the closure for 3 hours

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

That sounds worthy of a TAC case.

0 Kudos