<div dir="auto">Hi J Carter,<div dir="auto"><br></div><div dir="auto">Thank you for your reply.</div><div dir="auto">I am capturing the packet from firewall, and the filtering is as per below for the previously attached pcap.</div><div dir="auto"><br></div><div dir="auto">Source : client app -- Dest : nginx proxy , any port to any port</div><div dir="auto"><br></div><div dir="auto">Source : public server -- Dest : nginx proxy , any port to any port</div><div dir="auto"><br></div><div dir="auto">Source : nginx proxy -- Dest : client app , any port to any port</div><div dir="auto"><br></div><div dir="auto">Source : nginx proxy -- Dest : public server , any port to any port.</div><div dir="auto"><br></div><div dir="auto">Perhaps I will try to do tcpdump from the client app as well. </div><div dir="auto"><br></div><div dir="auto">One more info that I notice from client app host, from the netstat command, it shows CLOSE_WAIT for the terminated session, it seems like close_wait is the symbol that the closing is from external ( in this case client app is connect to nginx proxy), is this right?</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 20, 2024, 10:06 AM J Carter <<a href="mailto:jordanc.carter@outlook.com">jordanc.carter@outlook.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
On Tue, 20 Feb 2024 09:40:13 +0800<br>
Kin Seng <<a href="mailto:ckinseng@gmail.com" target="_blank" rel="noreferrer">ckinseng@gmail.com</a>> wrote:<br>
<br>
> Hi J Carter,<br>
> <br>
> This is the only results from the whole 5 minutes session (intentionally<br>
> without any transaction to create inactivity). Is there any symptoms which<br>
> can prove that other parties are the one who Initiate the closing?<br>
> <br>
<br>
Packet capture is the easiest, however it looks like you have<br>
missing data in PCAP for some reason (like tcpdump filters).<br>
<br>
I suppose you could also perform packet capture on the client app host<br>
instead of on the nginx host to corroborate the data - that would show<br>
who sent FIN first.<br>
<br>
Also, as Roman says in adjacent thread, debug level logs will also show<br>
what happened.<br>
<br>
> On Tue, Feb 20, 2024, 9:33 AM J Carter <<a href="mailto:jordanc.carter@outlook.com" target="_blank" rel="noreferrer">jordanc.carter@outlook.com</a>> wrote:<br>
> <br>
> > Hello,<br>
> ><br>
> > On Mon, 19 Feb 2024 16:24:48 +0800<br>
> > Kin Seng <<a href="mailto:ckinseng@gmail.com" target="_blank" rel="noreferrer">ckinseng@gmail.com</a>> wrote:<br>
> ><br>
> > [...] <br>
> > > Please refer to the attachments for reference.<br>
> > ><br>
> > > On Mon, Feb 19, 2024 at 4:24 PM Kin Seng <<a href="mailto:ckinseng@gmail.com" target="_blank" rel="noreferrer">ckinseng@gmail.com</a>> wrote: <br>
> > > > After capturing the tcp packet and check via wireshark, I found out <br>
> > that <br>
> > > > the nginx is sending out the RST to the public server and then send <br>
> > FIN/ACK <br>
> > > > (refer attached pcap picture) to client application.<br>
> > > ><br>
> > > > I have tried to enable keepalive related parameters as per the nginx<br>
> > > > config above and also check on the OS's TCP tunable and i could not <br>
> > find <br>
> > > > any related settings which make NGINX to kill the TCP connection.<br>
> > > ><br>
> > > > Anyone encountering the same issues?<br>
> > > > <br>
> ><br>
> > The screenshot shows only 1 segment with FIN flag set too which is<br>
> > odd - there should be one from each party in close sequence. Also the<br>
> > client only returns an ACK, rather than FIN+ACK, which it should if<br>
> > nginx was the initiator of closing the connection...<br>
> > _______________________________________________<br>
> > nginx mailing list<br>
> > <a href="mailto:nginx@nginx.org" target="_blank" rel="noreferrer">nginx@nginx.org</a><br>
> > <a href="https://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer noreferrer" target="_blank">https://mailman.nginx.org/mailman/listinfo/nginx</a><br>
> > <br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank" rel="noreferrer">nginx@nginx.org</a><br>
<a href="https://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer noreferrer" target="_blank">https://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div>