Page 1 of 1

What is a "zombie" connection in the connection table?

Posted: 22 Aug 2017, 07:37
by Peter
This FAQ applies to:
  • Clavister cOS Core all versions.
In my connection table i see from time to time a "Zombie" connection, what is that?


A zombie connection is a connection that cOS Core has tagged for removal. A connection may be closed due to many reasons such as timeout, a FIN or RST has been received from the client or server, a manual connection close in the CLI and more. Once a connection is due for closure (after the TCP FIN wait state, if a TCP connection, has expired) it will be tagged as a "zombie" connection and then closed by cOS Core. The reason cOS Core does this is in case there are tens of thousands or even millions of connections that is due for closure at the same time and to avoid that cOS Core allocates all available CPU resources for this operation, the close operation is added to a close queue which is the zombie state. cOS Core then very quickly works through the zombie close queue in order to remove them from the connection table without affecting the system as a whole.

Example of zombie connections:

Code: Select all

State    Proto   Source                      Destination                 Tmout
-------- ------- --------------------------- --------------------------- ------
ZOMBIE   TCP     ge1:      dmz:
ZOMBIE   UDP     ge1:      wan:
Note that the connection timeout value is blank as a zombie connection does not have a timeout value due to it being in the queue for being removed from the connection state table.