What's up? Apache servers making 'return calls' to past client IPs!

Basil Hussain basil.hussain at kodakweddings.com
Wed Apr 24 11:25:01 CDT 2002


We have the following timeout settings (all defaults, by the way) in our PIX

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

And we have the following timeouts (defaults again) set in our Apache

Timeout 300
KeepAliveTimeout 15

> You're getting hung up in the
> connection closing
> routines on the server (capture and do a tcpdump on the packets that cause
> this), since the server is going into CLOSING state, it's probably sending
> the FIN+ACK packet to signal the client it wants to close the connection,
> but the firewall is blocking that packet.  The client may or may not have
> sent it's own FIN+ACK message to the server to tell it to close the
> connection.

Could it be the firewall's 'half-closed' connection timeout setting
(currently 10 mins) that's causing this? The Cisco PIX docs defines the
'half-closed' timeout as being "Idle time until a TCP half-close connection
is freed". My TCP/IP knowledge is bit sketchy on the in-depth stuff, but
here's what makes sense to me... (Again, I could be wrong.)

The client has signalled that the connection has closed (FIN) - the browser
has finished recieving page items (imgs, etc). The web server, because it's
a persistant connection, keeps it open. This is now a 'half-closed'
connection. Later on, the firewall's 'half-closed' timeout comes up, letting
the firewall forget all about the connection. Then later still, the web
server finally wants to close the connection, but the firewall is not
expecting the packet, and so discards it (whilst logging a warning).

If that is the right scenario, what I don't get is that the 'half-closed'
timeout far exceeds any timeouts in the Apache config - 10 mins versus 5
mins ('Timeout') and 15 sec ('KeepAliveTimeout'). So why does Apache want to
close the connection so late?

Anyhow, I've tried doubling the PIX firewall's 'half-closed' timeout to 20
minutes to see if that has any effect.


Basil Hussain
Internet Developer, Kodak Weddings
E-Mail: basil.hussain at kodakweddings.com

More information about the Linux-PowerEdge mailing list