This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Jonne_Hannon
Contributor
‎2022-12-06 08:48 PM

It appears that in my case, the connection is being expired after 15 seconds when the firewall sees the DEST-FIN.  The client (Chrome/Edge)  continues to send Keep-Alive packets for about 5 minutes, which are all dropped out of state.  The client then sends several FIN-ACK packets, which are also dropped out of state.  This is what the connection looks like before DST-FIN:

<00000000, 0a7a1550, 0000d333, ac1c2015, 00000050, 00000006; 0001c001, 40044080, 00000038, 000001cf, 00000000, 6387085d, 00000008, 13e3b1d3, d7e5c551, 00000003, ffffffff, ffffffff, ffffffff, 0000e800, 00000000, 80000000, 00000000, 00000000, ac442808, 00007f8e, 00000000, 02101801, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 3603/3615>

and after the DEST-FIN

<00000000, 0a7a1550, 0000d330, ac1c2015, 00000050, 00000006; 0001e001, 40044080, 00000038, 000001cf, 00000000, 6387085d, 00000000, 13e3b1d3, d7e5c551, 00000003, ffffffff, ffffffff, ffffffff, 0000e800, 00000000, 80000000, 00000000, 00000000, b8fd9088, 00007f8e, 00000000, 06ce0001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 14/15>

After the server sends the FIN-ACK to the client, the connection is updated with this 15 second timeout.  The client (Chrome/Edge) sends the first Keep-Alive packets after 45 seconds and several more Keep-Alive packets at 45 second intervals, These Keep-Alive packets are all dropped out of state, as well as subsequent FIN-ACK packets.  I'm not sure where the 15 second timeout is coming from; the TCP end session timeout is 5 seconds.  Disabling SecureXL resolves the issue.  I have a case open, but not getting anywhere quickly unfortunately.  I'm not sure if this is impacting user experience, other than causing Chrome and Edge to use more sockets than necessary and generating lots of unnecessary logs.  It seems to be that there is an issue with SecureXL expiring half-closed connections too early and would like to get to the bottom of it

(1)
Who rated this post