Finding timed out sessions in the firewall log

I have used this FW log filter to find tcp sessions that have been dropped by the FW due to inactivity.  Filter for Drops and in the Info column Contains(tcp_flags: PUSH-ACK). Once you find one you can use the ephemeral (source) port number, which is quite unique, to filter for the session setup. Its the time between setup and drop you want to check, you need to make sure its greater than the inactivity timer on the FW.

I have seen some sessions torn down by the FW 60 minutes after setup since the application created a number of sessions on startup but doesn’t always use them. These all need tcp keepalves to stay up in the FW.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s