This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I see too many Tcp keepalives in my fortigate

0

Hi I believe I have a problem with my fortigate firewall, I'm receiving too many tcp keep alive. I already talk about this, with my ISP provider. What I told him to do, was to increase the ttl session. An it did improve. But I believe he change it again, and know I'm seen other problems and I didn't have before. Like a lot Tcp out of order like 3 o 4 in a row, as well as TCP ACK Duplicates. What could be the problem??????????

asked 12 Mar '14, 20:04

Caro's gravatar image

Caro
1111
accept rate: 0%

2 Answers:

2

Tcp_keepalive packets are sent when connections are idle. Their purpose is to generate traffic that would cause a firewall to see activity on the session, reset its inactivity timer and keep the 5-tuple in the connectino table. The interval between keepalive packets can be configured but should be less than 5 minutes which is a common default in FWs to drop idle connections.

When you see too many keep alive packets the reason is probably that you have too many idle TCP connections going through your firewall. I don't know why you consider this as a problem because the result is the end users will be happy to remain in the connection table instead of seeing ECONNRESET errors on the socket.

As you are posting this problem here to the wireshark QA I assume you have a trace showing this scenario. This will help you identify

  1. How many unique TCP connections you have
  2. What the keep_alive intervals are
  3. Whether a single IP address is misbehaving in sending keep-alives too often

So you apply the filter tcp.analysis.keep_alive_ack or tcp.analysis.keep_alive to the trace file, open the Statistics -> Conversations panel, navigate to the TCP tab and check the 'limit to display filter' box. alt text

I don't see what an ISP could do about this and don't know what you are referring to when told them to increase the ttl session. Can you explain more what you recommended them to do?

The TCP out of order and duplicate acks should not be a problem, IP packets happen to arrive out-of-order, as Roland mentioned, and TCP will take care of it. For as long as you don't see too many retransmissions this is nothing to be concerned about.

If you have questions on this seperate issue, please raise another seperate Question in order to not mixed up things here.

answered 15 Mar '14, 05:24

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

Caro, you may want to mention what has cause you to look at detailed traffic analysis. Is there a user or application indicated issue you are trying to troubleshoot? As meEede has indicated keepalives serve a purpose and on are not necessary indicating a problem. Also out of order packets are quite normal if you have load-balanced links, either at your end or even as traffic travels through and away from your ISP

(16 Mar '14, 15:31) martyvis

0

One reason for the tcp out of order packets could be asymmetric routing.

answered 14 Mar '14, 06:54

Roland's gravatar image

Roland
7642415
accept rate: 13%