11-14-2016 08:13 PM
We've recently moved a ClearPass cluster deployment behind firewalls at two different sites.
I've noticed in the firewall logs that a whole lot of PostgreSQL traffic is being dropped as out-of-state.
I'm assuming this is because ClearPass is trying to use a long standing TCP connection that is older than 1 hour.
Can anyone confirm the maximum connection lifetime that ClearPass would use - if there is one?
Solved! Go to Solution.
11-15-2016 12:35 PM
Firewall logs show the connection is dropped almost exactly after 2 hours (7200 seconds).
Under Server Configuration -> ClearPass system services there is a 'TCP Keep Alive Configuration', which by default is set to 7200.
I take it this means it will only send the first keepalive after 2 hours, which is no good for modern firewalls with default TCP connection state timeouts of 60 minutes.
Needless to say we'll be changing this to 1800 seconds :)