ProxySG will Reset a Connection if the Client Reuses the same Source port in a Short Period of time


Article ID: 166832


Updated On:


ProxySG Software - SGOS


When a client (workstation or load balancer) reuses a source port within the default 2MSL value (default is 2 minutes), the proxy will reject the connection.


SG follows RFC 1122 when handling connection from a reused source port. Section in the RFC says:

            When a connection is closed actively, it MUST linger in
            TIME-WAIT state for a time 2xMSL (Maximum Segment Lifetime).
            However, it MAY accept a new SYN from the remote TCP to
            reopen the connection directly from TIME-WAIT state, if it:

            (1)  assigns its initial sequence number for the new
                 connection to be larger than the largest sequence
                 number it used on the previous connection incarnation,

            (2)  returns to TIME-WAIT state if the SYN turns out to be
                 an old duplicate.

SG will drop the connection if it doesn't meet condition (1). To reduce the chance of a connection being dropped we can reduce the TCP 2MSL value in SG. The default TCP 2MSL value is 120 seconds. The value can be viewed in TCP-IP settings output:

#show tcp-ip
  RFC-1323 support:             enabled
  TCP Newreno support:          disabled
  IP forwarding:                disabled
  ICMP bcast echo response:     disabled
  ICMP timestamp echo response: disabled
  Path MTU Discovery:           disabled
  TCP 2MSL timeout:             120 seconds
  TCP window size:              65535 bytes
  TCP Loss Recovery Mode:       normal
  Bypass connection keep-alive: disabled
  Fast retransmit:              enabled

The TCP 2MSL value can be changed with this command:

#(config)tcp-ip tcp-2msl ?


#(config)tcp-ip tcp-2msl 30

The above set the TCP 2MSL value to 30 seconds. This means a connection will always be accepted after the previous incarnation has been closed for over 30 seconds regardless of what the initial sequence number is. If a client reused the source port faster than 30 seconds the connection can still be dropped if it doesn't meet condition (1) above.

It is not recommended to set this value below 10 seconds or the possibility of creating an unstable condition (TCP ACK storm) could happen if two connections with the same client has the same source and destination port.