TCP 3-WAY Handshake vs TCP Half-Open

1.     TCP 3-Way handshake –

TCP is a connection-oriented protocol, a connection needs to be established before two devices can communicate. TCP uses a process called three-way handshake to negotiate the sequence and acknowledgment fields and start the session. Here is a graphical representation of the process.

The three way handshake process consists of three steps:

a.      Host A initiates the connection by sending the TCP SYN packet to the destination host. The packet contains the random sequence number (e.g. 5432) which marks the beginning of the sequence numbers for data that the Host A will transmit.

b.      The Server receives the packet and responds with its own sequence number. The response also includes the acknowledgment number, which is Host A’s sequence number incremented by 1 (in our case, that would be 5433).

a.      Host A acknowledges the response of the Server by sending the acknowledgment number, which is the Server’s sequence number incremented by 1.

Post TCP 3 way handshake, the data transfer starts. After the data transmission process is finished, the connection will get terminated by sending FIN (FINISHED) flag which does graceful termination of connection.

TCP Half Open connection –

TCP connections are called Half Open connections when the third step of the 3-Way handshake sending final ACK to the server fails (as shown in below figure) or if one of the hosts closes the connection without acknowledging the other.

Half Open connection process is given below –

1.      Host initializes the request by sending SYN packet.

2.      Server replies to the client with SYN_ACK, and at this point server reserves some resource for the client and waits for the final ACK to arrive (Acknowledgment message).

3.      However, the client does not respond to the server with final Acknowledgment.

So an established connection is said to be "half-open" if one of the TCPs has closed or aborted the connection at its end without the knowledge of the other, or if the two ends of the connection have become desynchronized owing to a crash that resulted in loss of memory. Such connections will automatically become reset if an attempt is made to send data in either direction. However, half-open connections are expected to be unusual.

F5 TCP-Half Open monitor –

F5 also have TCP-Half Open monitor available under Local trafficàMonitors. Tcp_half_open monitor is most widely used for gateway monitoring when you just need to ensure the socket is responding to connection requests and desire the lowest overhead on the monitoring target.

The tcp_half_open monitor sends a SYN packet to the pool member, and if a SYN-ACK is received from the server in response, the pool member is marked UP.

There are few use cases to use TCP-half open monitor as given below –

For example, a webserver would be less impacted by a half open connection request that is immediately reset than a connection that completes the entire open and close handshake sequence.

Another common use for the tcp_half_open monitor is to prevent the application from spewing a bunch of log messages indicating connections were opened but not used.

It should be noted that some applications cannot gracefully handle the half open connection and subsequent reset, so some testing should be done in order before implementing this monitor.

There is option available to test same under ‘Test’ tab shown in above image. Under Test tab, you can put webserver IP alongwith its associated port.

And it will show Test results and it can be confirmed if application supports TCP-Half open or not.

Do test same in your environment and share your observations.

I hope, this article helps you. Your inputs, suggestions or questions are always welcome.

Mayur