VMware Networking Community
rajeevsrikant
Expert
Expert
‎02-21-2018 11:50 PM

NSX DFW - Session Timers

For DFW policy by default there are timeout value for UDP & TCP.

The Max time out value which can be set is 4320000 seconds (50 days)

Would like to know what will be the disadvantage of setting this value to 4320000 seconds

What will be the impact of doing this,

Reply
0 Kudos
11 Replies
Sreec
VMware Employee
VMware Employee
‎02-22-2018 12:27 AM

If you don't have any application specific TCP/UDP settings you don't need to change DFW values. So be precise with application requirement then change accordingly it should not be vice-versa

Giving a larger value ,firewall will maintain the session which might not be required for application(not matching with application requirement) - Result would be unnecessary sessions at firewall level.

Distributed Firewall (DFW) Timers - VMware Professional Services and Education Insights

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
rajeevsrikant
Expert
Expert
‎02-25-2018 05:48 AM

If the default session timers are changed, will it affect the existing sessions.

For ex - I am changing the TCP session time out value in production, will it affect the existing sessions which are live.

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee
‎02-25-2018 07:52 AM

Are you going to increase or decrease the value ? If you are increasing the value more than application timeout value , DFW session will be intact because DFW will still maintain the session

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
rajeevsrikant
Expert
Expert
‎02-25-2018 08:13 AM

I am planning to increase the timer. So if i increase u mean to say that the existing connections will remain, no impact with session discussion

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee
‎02-25-2018 10:44 AM

Yes,it should not impact the existing sessions.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
tanurkov
Enthusiast
Enthusiast
‎02-27-2018 12:40 AM

HI

I believe you will have impact on current sessions . i.e timer will be increased and for them also.

Regards Dmitri

Reply
0 Kudos
rajeevsrikant
Expert
Expert
‎02-27-2018 01:49 PM

Thankx

I checked with VMware support, they claim that even if we increase the timer value from the default value it will have impact to the existing sessions.

Reply
0 Kudos
tanurkov
Enthusiast
Enthusiast
‎02-28-2018 12:29 AM

YES it will .

Regards Dmitri

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee
‎02-28-2018 01:00 AM

Thanks for the update. When i tested it by flipping the value in DFW my session was intact (Application timeout was very less in this case)

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos
rajeevsrikant
Expert
Expert
‎02-28-2018 03:28 AM

Giving a larger value ,firewall will maintain the session which might not be required for application(not matching with application requirement) - Result would be unnecessary sessions at firewall level.

Regarding the above point which you have made,  would like to clarify as below.

What will be the impact when I increase the session time out value.

1. Unnecessary sessions will be available in the firewall level.

     - Which means that the session connection limit may get exhausted. For ex - each hosts supports 2,000,000 connections which may gets exhausted.

    - New connections may get dropped. This can cause impact.

Let me know if my above understanding is right.

Apart from this what are the other impacts ?

Is there any impact due to memory or any other performance issues ?

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee
‎02-28-2018 10:48 AM

Not really sure about other impacts , however  if you are making these kind of changes you should know the full flow of the application from network perspective. For N-S and E-W traffic pattern there might be other physical firewall included, changing over there will also be required based on design . One of the design which i'm working i have collected application requirement and being greenfield  deployment  i checked and confirmed existing firewall is not tweaked with any TCP/UDP values,hence no change in DFW side as well. That's why i said in the beginning be sure about app requirement and existing network design.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
0 Kudos