Usage Scenarios for Long Connections
When the client and server have no data interaction for a long time during the business, and the idle time exceeds 1800 seconds, the session will be cleared due to timeout. Subsequent clients did not re-initiate the connection, and directly sent control packets, resulting in data failure. Common in database connections.
1. Highlights
-
The session timeout in days needs to enable the long-term session ratio, otherwise it is invalid and takes effect according to the default value of the protocol. TCP 1800s, UDP 60s.
-
The session timeout configuration in seconds (maximum 65535, about 18 hours), is not a long-term session, and the long-term session ratio can not be enabled.
-
The timeout period defined in the service must correspond to the policy reference to take effect.
-
Timeout defined in the application, no policy reference required.
-
Application timeouts have lower priority than services.
-
Use the command line show session or the web UI to view the session timeout through the policy to confirm whether it is in effect.
-
It is only valid for new sessions created after the configuration is completed, and the existing sessions before the configuration are invalid.
2. Scene analysis
Some services take a long time to maintain or respond to the same session, and the following situations will cause service failure.
-
The idle time of the business connection is relatively long. After the StoneO session times out, the direct connection between the client and the server is still maintained. When the request is initiated, the client will no longer perform a three-way handshake. If the firewall enables the syn0 check or the response time exceeds the three-way handshake waiting time, the relevant packets will be discarded.
-
After the client sends a request, the response time of the server exceeds the lifetime of the application session (for example, the query time of a massive database exceeds 1800S), and when the return packet passes through the firewall, the relevant session has been closed due to timeout, resulting in the packet being discarded and the service failing.
The lifetime of StoneOS-related sessions needs to be longer than the waiting and response time of the application. If the duration is longer than the predefined lifetime of the system, related configurations are required.
Common related applications: oracle database (predefined application SQLNETv2), UDP data transmission of SSL vpn, etc.
3. Related concepts
-
business related concepts
Session idle time: Only the connection between the client and the server is kept. As long as the idle time does not exceed this time, the client and the server may continue to use the connection.
-
StoneOS related concepts
Timeout: The hold time when there is no traffic hit in the related session, and the session will be closed if the time is exceeded.
Long-lived session: A session with a timeout time exceeding 65535 seconds.
4. Related configuration
Set the proportion of long-lived sessions
The session timeout in days needs to enable the long-term session ratio, otherwise it is invalid and takes effect according to the default value of the protocol. TCP 1800s, UDP 60s. The session timeout configuration in seconds (maximum 65535, about 18 hours), is not a long-term session, and the long-term session ratio can not be enabled.
Go to [Network] [Global Network Parameters] and turn on the [Long-lasting session] switch, and the ratio is usually 10% as recommended.
CLI configuration:
longlife-sess-percent 10
Define persistent connections through applications
If it needs to take effect globally for a common application, for example, oracle on the entire network can configure predefined applications. The configuration steps are as follows
CLI configuration:
application SQLNETv2
timeout-day tcp 2
exit
If it needs to take effect for a specific business, such as a specified orcale server, it can be configured through a custom application. The configuration steps are as follows, the interfaces of different versions are different, but the logic is the same.
CLI configuration:
application oracle-OA
timeout-day tcp 2
exit
signature
application oracle-OA #刚才新建的应用名称
src-addr Any
dst-ip 10.0.0.100/32
protocol tcp dst-port 1521
exit
Define persistent connections through services.
Most mainstream versions of the current WEB UI do not support service modification timeouts, which can only be configured through the CLI;
service "tcp1521"
tcp dst-port 1521 timeout-day 2
exit
The connection duration defined in the service requires a policy call to take effect. If the traffic hits the policy whose service is ANY, the timeout period is 1800s.
5. Conditions for entry into force
As shown in the figure below, the predefined application sqlnetv2 takes effect
As shown in the figure below, the predefined application has been hit, and the timeout period is still 1800. If there is no problem with the application configuration, there is a high probability that the long-term session ratio is not enabled globally.
If the timeout configuration unit is seconds, it will take effect without opening a long-term session. As shown below
When the timeout configured in the service and the application is inconsistent, the policy service shall prevail. The session configuration in the above figure is as follows;
