Search code examples
linuxtcppocokeep-alive

Does TCP keepalive sends packet to prevent age-out and close of connection from firewall?

I have a set up where we have a firewall between client and server. I connect to 2 different servers say A and B and data can flow at any point of time either from A or from B , but only one at a time.It seems that my connection to server is terminated after every 2 hours 11 mins 15 sec. I have set tcp keepAlive in my application and is using poco library.

I see that below are tcp keepalive kernel level parameters on my box }

  [XYZ@ABC /home]$ cat /proc/sys/net/ipv4/tcp_keepalive_time 
  7200
  [XYZ@ABC /home]$ cat /proc/sys/net/ipv4/tcp_keepalive_intvl 
  75
  [XYZ@ABC /home]$ cat /proc/sys/net/ipv4/tcp_keepalive_probes 
  9

7200 ( 2 hours) + 9*75 = ( 11 mins 15 sec ) , some how parameters above and time of disconnect suggest this is happening because of the above settings on my box. Most of the connections between Server and Client are ideal at most period ( hours ) but then data is expected to be coming at any time ( not fixed ). Say if ideal time on firewall is set to ( 30 mins ) then should I actually be reducing my tcp_keepalive_time to less than 20 mins so there is a probe between client and server, and hence prevents firewall from seeing this as an ideal connection and actually terminating the connection ?

My understanding is even if connection is ideal , the parameter tcp_keepalive_time will prevent firewall from closing the connection till this time period , or should it ideally be less than firewall ideal timeout so that firewall sees packet transfer between the two server ( keepalive probe done by client and Acknowledgement received from server ) and does not tries to close the connection ?

Thanks

Solution

  • I tried to reduce the tcp_keepalive_time from 7200 to 900 seconds ( 15 mins ) . This made sure that tcp keep alive probes were sent after 900 seconds . Due to this ideal connection timeout of 30 mins set at firewall was prevented from closing the connection . This resolved my issue . I read about this in the link below in Solution section.

    https://www.veritas.com/support/en_US/article.100028680

      [XYZ@ABC /home]$ cat /proc/sys/net/ipv4/tcp_keepalive_time 
  900