Half Open connections vs Half closed connections
Half Open connections
Connections that haven’t been completely established yet are in the "Half-open" state. Every new connection starts off in the half open state but quickly transitions to the established/flowing state if there are no errors in connecting to the peer SH and endpoint server. Thus, this count should typically be low.
However in the case of a SYN or probe attack, the SFE times out (TCP connection establishment timeout) attempting to connect to the fictitious endpoint server, the half open connections will exist for the duration of the connection attempt. The same holds true when there is a network partition between the SFE and server or when the server fails to respond.
If the Half-Open connection count on a Steelhead are consistently high and an issue is suspected, please provide a sysdump to help facilitate investigating the issue.
Half closed connections
Intercepted connections that are tearing down or where the client/server has performed a TCP half-close are in the "Half-Closed" state. A TCP half-close occurs when either endpoint (client or server) sends a TCP FIN indicating that it will not be writing anymore data, just reading data.
This behavior is common in the case of web browsers: The web browser sends the HTTP GET request and then TCP halfcloses the connection as it does not intend to send another request or any more data. It then reads data that is sent by the web server in this state. In the case of some other applications, one end may do a TCP half-close and the connection lasts for a while after that (the application is designed for data flow in one direction only).
Thus its fairly common to have a non-zero "Half Closed" connection count on the Steelheads. Once again, provide the sysdump to support if an issue is suspected.
Comments