Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass PostgreSQL TCP timeout

This thread has been viewed 3 times

  • 1.  ClearPass PostgreSQL TCP timeout

    Posted Nov 14, 2016 11:13 PM

    We've recently moved a ClearPass cluster deployment behind firewalls at two different sites.

     

    I've noticed in the firewall logs that a whole lot of PostgreSQL traffic is being dropped as out-of-state.

     

    I'm assuming this is because ClearPass is trying to use a long standing TCP connection that is older than 1 hour.

     

    Can anyone confirm the maximum connection lifetime that ClearPass would use - if there is one?



  • 2.  RE: ClearPass PostgreSQL TCP timeout
    Best Answer

    Posted Nov 15, 2016 03:35 PM

    Firewall logs show the connection is dropped almost exactly after 2 hours (7200 seconds).

     

    Under Server Configuration -> ClearPass system services there is a 'TCP Keep Alive Configuration', which by default is set to 7200.

     

    I take it this means it will only send the first keepalive after 2 hours, which is no good for modern firewalls with default TCP connection state timeouts of 60 minutes.

     

    Needless to say we'll be changing this to 1800 seconds :)