What is a "zombie" connection?

Last modified on 24 Mar, 2021. Revision 6
What is a "zombie" connection in the connection table? It seems to only exist for a very brief moment before disappearing.
Up to date for
Supported since
Status OK
Peter Nilsson


In my connection table i see from time to time a “zombie” connection, what is that?


A zombie connection is a connection that cOS Core has tagged for removal. A connection may be closed due to many reasons such as time-out, a FIN or RST has been received from the client or server, a manual connection close in the CLI and more. Once a connection is tagged for closure (after the TCP FIN wait state, if a TCP connection, has expired) it will be tagged as a “zombie” connection and then closed by cOS Core. The reason cOS Core does this is in case there are tens of thousands or even millions of connections that is due for closure at the same time and to avoid that cOS Core allocates all available CPU resources for this operation, the close operation is added to a close queue which is the zombie state. cOS Core then quickly work through the zombie close queue in order to remove them from the connection table without affecting the system as a whole.

Example of how a zombie connection can look like:

State Proto Source Destination Tmout -------- ------- --------------------------- --------------------------- ------ ZOMBIE TCP ge1: dmz: ZOMBIE UDP ge1: wan:

Note that the connection timeout value is blank as a zombie connection does not have a timeout value due to it being in the queue for being removed from the connection state table.

Related articles

Using Stateless IP Policies in cOS Core
4 Apr, 2023 core stateless connections
Could not open outbound connection?
9 Mar, 2021 core ping connections
Freeing up more memory in the Firewall
23 Aug, 2022 core connections ipsec memory