- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x
This message is reported in the firewall access cache (will be displayed only with activated "drop"-cache).
TCP Packet Belongs to no Active Session
What does it mean?
The message stated above can originate from the following situations:
Two computers deciding to close their TCP communication do so by exchanging finalisation (FIN) and acknowledgement (ACK) messages. A typical connection termination requires a pair of FIN and ACK messages from each connection endpoint.
In the most commonly used 3-way-handshake host A sends a FIN to host B, and host B replies with a FIN & ACK. Host B has thus terminated its end and will no longer send data to the other side. Host A successively terminates its own end by sending an ACK message.
The duration the firewall waits for the last ACK is defined by the Last ACK Timeout (s) value in each firewall rule (Firewall > Rule configuration dialogue > Advanced Settings). By default, the firewall waits for the last ACK for 10 seconds and then terminates the session itself. An ACK arriving belatedly (e.g. because of long response time of host A or because of network congestion) will not be attributable to an active session and will be dropped by the firewall, thus triggering the message stated above.
Hosts have been observed that respond to a FIN message not only with one but with a second ACK. Again, the second ACK will not be attributable to an active session because the firewall has already terminated it after the first ACK.
Hosts have been observed that continue sending data though connection termination has already been confirmed by both TCP endpoints. This data will not be attributable to an active session and will be dropped by the firewall, again triggering the message stated above.
Typically, in mainframe systems, hosts might be dependent on an exceptional session lifetime, because data is exchanged rarely and idle times in between data exchange are long. If the maximum idle time is exceeded, the firewall terminates the session between the mainframe computers. Data that the hosts continue to send later, not recognising that the connection between them has been disrupted, will not be attributable by the firewall and will be dropped, thus triggering the message stated above.
In principle, the message "TCP Packet Belongs to no Active Session" can be regarded as purely informational and as indicator that a TCP session has terminated slightly "out of order". It is helpful, though, to know the factors that contribute to unscheduled session termination or to frequent TCP packets that cannot be allotted to an active session.
On Barraucda NG Firewall systems, values influencing session length are customisable in the following places:
a) "Config" > "Box" > "Virtual Servers" > "<Servername>" > "Affected Services" > "<Servicename>" > "Forwarding Rules" > "Services Objects".
The Session Timeout value defines the maximum duration an idle TCP session may stay alive until the firewall itself terminates it. By default, this value is set to 86400 seconds (24 hours) for TCP connections, which is sufficient for most applications.
Should you observe the "TCP Packet Belongs to no Active Session" message frequently, and at the same time experience network problems regarding unwanted session termination, increasing this value might solve the issue.
b) "Config" > "Box" > "Virtual Servers" > "<Servername>" > "Affected Services" > "<Servicename>" > "Forwarding Rules" > "Rule configuration" dialogue > "Advanced Settings" > "Last ACK Timeout (s)"
This parameter defines the duration that the firewall waits for hosts to terminate their session orderly (default: 10 seconds). Increasing the value might reduce the frequency of sessions being terminated by the firewall if the last ACK arrives with delay, but will not solve the issue causing the delay. It is recommended only to change the default setting, if the hosts responsible for the delay are clearly identifiable.