[SOLVED] How to determine default Iptables established connection timeouts

dalacor · 10-04-2022, 07:49 AM

We are seeing a lot of dropped ACK PSH connections from Mail serer back to activesync client devices on source port 443.

The mail server provider says the Activesync timeouts are 120 secs minimum (2 mins) and 2700 secs max (45 mins).

I presume that the firewall is closing established connections long before 45 mins?

How can I find out what the min and max idle timeouts are for iptables. I use m state established, related. Haven't got around to updating the ruleset to use conntrack.

elgrandeperro · 10-04-2022, 09:47 AM

Its not part of iptables. Its probably a sysctl setting that you can set in /etc/sysctl.conf.

The options are probably /proc/sys/net/ipv4, but what settings to tweak you have to research that because there are timers for many tcp states.

dalacor · 10-04-2022, 10:19 AM

Thank you for that. I think that I have found the settings that I need to look at. The sysctl.conf file doesn't exist, but I can see that I need to create the file and add the necessary settings as the file is only meant to be used to change default Linux settings.

Looks like the Established timeout is 5 days, so obviously this is not the problem. Maybe the last_ack is the problem.

The section that needs to be looked at is net.netfilter.nf_conntrack_tcp_timeout

dalacor · 01-24-2023, 04:56 AM

I am marking this as solved as the issue seems to have fixed itself. I have a feeling that an IOS update fixed the issue as the problem suddenly stopped on the 13th December and has not recurred since. So it would seem that it was not a firewall issue but some IOS issue as I cannot see anything else that could have resulted in the change.