firewall and TCP connection

firewall killing idle tcp connections

An application deployed in DMZ is configured to authenticate towards LDAP server located in internal zone.
The initial authentication works fine. A new TCP connection is established through the firewall, and authentication hits the LDAP server. Th TCP connection is kept open by operating system after being established. Operating system will try to keep this TCP connection alive for a given time, typically configured to 7200 seconds (2h). The TCP connection is left open, to reuse it for subsequent requests, avoiding the TCP handshake overhead.

29.10.2009 , 11_23_38
But when doing a new authentication request 31 min after the first one, it fails.
The problem is that the intermediate firewall kills the idle TCP connection after a configured timeout, currently 30 min.
So what are the options to fix this:

  1. generate traffic, to avoid idle tcp connection. A type of proactive monitoring
  2. set firewall timeout to larger than the os-specific keepAlive
  3. set os-specific keepAlive to something less than the firewall timeout
  4. handle killed tcp connections on application layer level

Option 1 is fine because it adds the possibility of proactive monitoring. The downside is that the infrastructure is dependent on some arbitrary traffic generator or monitoring tool.

If the application behaviour can be controlled (through code change or configuration) option 4 is relevant. Very often there is a wide range of applications (both open-source, commercial and proprietary applications) that will experience the same problem of firewalls blocking TCP connections after some idle timeout. So controlling every application could become difficult.

Increasing the firewall timeout as mentioned in option 3 could be a way to go. But firewalls are there for security reasons, so should consider issues like Denial of Service (DoS) attacks, and TCP session hijacking before increasing firewall timeout.

Option 4 is detailed below.

hardening the TCP/IP stack

Microsoft recommends a KeepAliveTime of 300 seconds (5 min) as part of hardening the TCP/IP stack against denial of service attacks. See How to harden the TCP/IP stack against denial of service attacks in Windows Server 2003 , Microsoft Technet and Microsoft Windows Security Resource Kit.

The same kind of information is found in Securing and Optimizing Linux: RedHat Edition -A Hands on Guide. The keepAlive is changed from 7200 to 1800 seconds (30 min).

Operating system recommendations for keepAlive values are thus moved inside the firewall timeout window. The downside of reducing the keepAlive is that there are more keepAlive packets in the network, possibly increasing network congestion.

typical errors


ldap.DirContextHolder – Unsolicited exception thrown for directory context com.sun.jndi.ldap.LdapCtx@
at com.sun.jndi.ldap.LdapClient.processConnectionClosure

ldap.LDAPAuthenticatorStep – Failed to connect to ldap server.
javax.naming.ServiceUnavailableException
at com.sun.jndi.ldap.Connection.readReply

ldap.DirContextHolder – Created directory context com.sun.jndi.ldap.LdapCtx

References:
Covering Linux, OS X, Solaris and Windows on TCP keepalive configuration
Firewall Session Problems
Preventing disconnection due to network inactivity
How can I change the TCP/IP tuning parameters?
TCP keepalive overview
Using TCP keepalive under Linux

  • Trackback are closed
  • Comments (0)
  1. No comments yet.

Comment are closed.