I recently had a discussion with someone who had run afoul of their corporate firewall settings. The firewall will clear its state table of any connection that has been idle for over 10 minutes. Unfortunately its behavior when it receives a segment for a connection not in its state table is to silently drop the segment. This means that it can take upwards of 8 minutes for an STCP application to realize that it can no longer communicate with its end point and re-establish the connection. This was annoying his users.
At this point I suggested that the application be modified to include a configurable application layer keep-alive message. Unfortunately, changing the application is not an option. The application also does not set the SO_KEEPALIVE socket option so even changing the system wide keep-alive timer from the 2 hour default down to 9 minutes will not solve the problem.
The solution is a third party TCP layer keep-alive segment. This is a TCP layer keep-alive segment that appears to come from the application (using the module’s IP address as the source address and the application’s TCP port as the source port) and is sent to the remote host’s IP address and port. The firewall notes this as activity and keeps the connection in its state table.
The explanation and examples of my 3rd_party_keep_alive tool are too long for this blog post so you can find the details here.