Question:
In my connection table i see from time to time a “zombie” connection, what is that?
Answer:
A zombie connection is a connection that cOS Core has tagged for removal. A connection may be closed due to many reasons such as time-out, a FIN or RST has been received from the client or server, a manual connection close in the CLI and more. Once a connection is tagged for closure (after the TCP FIN wait state, if a TCP connection, has expired) it will be tagged as a “zombie” connection and then closed by cOS Core. The reason cOS Core does this is in case there are tens of thousands or even millions of connections that is due for closure at the same time and to avoid that cOS Core allocates all available CPU resources for this operation, the close operation is added to a close queue which is the zombie state. cOS Core then quickly work through the zombie close queue in order to remove them from the connection table without affecting the system as a whole.
Example of how a zombie connection can look like:
State Proto Source Destination Tmout
-------- ------- --------------------------- --------------------------- ------
ZOMBIE TCP ge1:192.168.98.55:4661 dmz:192.168.98.27:80
ZOMBIE UDP ge1:192.168.98.66:4662 wan:8.8.8.8:53
Note that the connection timeout value is blank as a zombie connection does not have a timeout value due to it being in the queue for being removed from the connection state table.
Related articles
4 Apr, 2023 core stateless connections
9 Mar, 2021 core ping connections
23 Jun, 2021 core connections
23 Aug, 2022 core connections ipsec memory