ApplicGate
(v12.0.9091.1083 started 2024-11-20 23:42:13 on VM2)

Detecting broken TCP Sessions and Timer Handling
There are various settings and options how to detect a broken TCP session in case a disconnect message (FIN bit) has not been received (e.g. interface down, remote server crashed ...).

Options built in the operating system:

TCP Retries:
This number specifies the maximum number of times a TCP packet is retransmitted in established state before giving up and terminating the connection.
The Linux default value is 15, which corresponds to a duration of approximately between 13 to 30 minutes, depending on the retransmission timeout.
The Windows default value is 5, which corresponds to a duration of approximately 20 seconds, depending on the retransmission timeout.
Therefore it is a good practice to change the Linux value to 5, example:
sudo sysctl -w net.ipv4.tcp_retries2=5
This setting will be active immediately. To make his change persistent to reboot add following line to /etc/sysctl.conf:
net.ipv4.tcp_retries2=5
The Windows value can be changed in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
Value Name: TcpMaxDataRetransmissions, Type: REG_DWORD, default: 5
Note: A broken session will be detected only if a send request is pending. The number of retries configured above is vaild for all TCP sockets in the system.

TCP Keepalive:
Linux and Windows have built-in support for keepalive.
The procedures involving keepalive use three user-driven variables:
tcp_keepalive_time (Linux default: 7200 sec, Windows default: 7200000 msec)
.. the interval between the last data packet sent (simple ACKs are not considered data) and the first keepalive probe; after the connection is marked to need keepalive, this counter is not used any further
tcp_keepalive_intvl (Linux default: 75 sec, Windows default: 1000 msec)
..the interval between subsequential keepalive probes, regardless of what the connection has exchanged in the meantime
tcp_keepalive_probes (Linux default: 9, Windows default: same as TcpMaxDataRetransmissions)
.. the number of unacknowledged probes to send before considering the connection dead and notifying the application layer
Therefore a failed client connection will be closed after the following time interval:
KeepAliveTime + (TCPMaxDataRetransmissions + 1) * KeepAliveInterval
The Linux setting can be changed, e.g.
sudo sysctl -w net.ipv4.tcp_keepalive_time=30
sudo sysctl -w net.ipv4.tcp_keepalive_intvl=1
sudo sysctl -w net.ipv4.tcp_keepalive_probes=5
Do not forget to make theses changes persistent.See above or using keepalive
The Windows value can be changed in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
Value Name: KeepAliveTime, Type REG_DWORD, default: 7200000 milliseconds
Value Name: KeepAliveInterval, Type REG_DWORD, default: 1000 milliseconds
Important:
Keepalive support, even if configured in the kernel, is not the default behavior in Linux and Windows. Programs must request keepalive control for their sockets (see keyword KEEPALIVE below).


Options built in ApplicGate activated by following keywords:

KEEPALIVE:time!interval ... KeepAliveTime and KeepAliveInterval in seconds (optional, meaning as described above). The number of keepalive probes cannot be set.
... This keyword is used to activate the TCP Keepalive option of the operating system and it can be defined for each routing entry individually.
... In Windows these values are set using IOControl.
... If time!interval is not specified or on Linux: Keepalive will be enabled via SetSocketOption using system defined values (see above).

KILLS ... for autologon routing entries: If an autologon session terminates, the dependent sessions will be terminated (at the end where the autologon rule is defined).
... So the user sessions established via an autologon client can use the time-to-live mechanism (TTL as described below) of the autologon session:
... If the server does not respond any more, all sessions via this server will be terminated.

STO:time .... time (specified in seconds) is the interval to wait for send completion on TCP sessions. On timeout the session will be terminated.
... Caution: Timeout will occur only if the send buffer is full. Not to mix up with TCP retries above!

TTL:ttl ... specific maximum idle time, Time To Live (TTL) of session in minutes
... to specify seconds: ttl must end with "s", e.g. TTL:20s
... If during this period no data has been sent or received, the session will be terminated
... If the keyword is not used: The system-wide default specified in keyword TTLDEF is used.
..... to specify seconds: DestinationPort must end with "s".
... Special meaning for autologon entries:
.... autologon sessions send a keepalive message if actual time to live (TTL) of the session is lower then 5 minutes.
... Note for logon sessions:
.... The default value is set to 180 seconds.
.... A keepalive message will be sent by the client every (TTL-TINT)/3 seconds using Java script (AJAX).
.... E.g. if TTL is 180 seconds and TINT is 20 seconds, every 53 seconds a keepalive message will be sent.
.... Even if 2 keepalive messages are lost, after 159 seconds the third (successful) keepalive messages restores the session time to live.
.... Caution: If TTL is small the user may have not enough time to enter the data and/or the on-time password.

System-wide Settings:

TINT:interval ... only if GatewayIP2=manage: internal timer interval in seconds for processing of time based functions
... value of interval may be from 1 to 60. If the keyword is not used: The value of the interval is 60 seconds (1 minute).
... Every interval seconds STO and TTL of links, expiration of rules, autologon retries and sending of keepalive messages etc. will be checked.
... Recommended values for interval are: 1, 2, 3, 4, 5, 6, 10, 12, 15, 20, 30, 60
Remark: All timer based values in keywords such as RETRY, STO and TTL should be greater than TINT.

TTLDEF:ttldef ... only if GatewayIP2=manage: system-wide default for TTL in minutes
... to specify seconds: ttldef must end with "s", e.g. TTLDEF:50s
... If this keyword is not specified: Default is 60 minutes.

ApplicGate Logo  reinhold.leitner@applicgate.com (C) November 2024
www.applicgate.com