What is a "zombie" connection?

Last modified on 24 Mar, 2021. Revision 6
What is a "zombie" connection in the connection table? It seems to only exist for a very brief moment before disappearing.
Up to date for
13.00.09
Supported since
8.90.xx
Status OK
Author
Peter Nilsson

Question:

In my connection table i see from time to time a “zombie” connection, what is that?

Answer:

A zombie connection is a connection that cOS Core has tagged for removal. A connection may be closed due to many reasons such as time-out, a FIN or RST has been received from the client or server, a manual connection close in the CLI and more. Once a connection is tagged for closure (after the TCP FIN wait state, if a TCP connection, has expired) it will be tagged as a “zombie” connection and then closed by cOS Core. The reason cOS Core does this is in case there are tens of thousands or even millions of connections that is due for closure at the same time and to avoid that cOS Core allocates all available CPU resources for this operation, the close operation is added to a close queue which is the zombie state. cOS Core then quickly work through the zombie close queue in order to remove them from the connection table without affecting the system as a whole.

Example of how a zombie connection can look like:


State Proto Source Destination Tmout -------- ------- --------------------------- --------------------------- ------ ZOMBIE TCP ge1:192.168.98.55:4661 dmz:192.168.98.27:80 ZOMBIE UDP ge1:192.168.98.66:4662 wan:8.8.8.8:53


Note that the connection timeout value is blank as a zombie connection does not have a timeout value due to it being in the queue for being removed from the connection state table.

Related articles

Could not open outbound connection?
9 Mar, 2021 core ping connections
Freeing up more memory in the Firewall
18 Feb, 2021 core connections ipsec memory