It depends on the protocol in use, but essentially yes it's when the underlying protocol times out (TCP, UDP, ICMP, etc.).  The session is closed when the duration of time for which no traffic has been received for a given session has elapsed.  It is not for the first TCP negotiation.  An entry is created in the session table once the session table is established and successive traffic which matches that session continually resets the timer.  See my response in the other thread for additional details.

Stefan,
For one reason or another I created the custom service Netbios for Netbios(NS). Wait, now I recall, although the firewall will detect and block 'Netscreen (NS)' packets, there doesn't seem to be a correlating predefined entry to allow for it when making a policy. Anyway, the service is setup as:

Netbios TCP src port: 0-65535, dst port: 137-137 30 Edit Remove

As you can see, the timeout is 30 minutes, yet in my firewall I constantly see:

2008-01-29 16:34:42 172.31.202.4:34113 10.200.1.2:137 172.31.202.4:34113 10.200.1.2:137 NETBIOS (NS) 60 sec. 96 102 Close - AGE OUT
2008-01-29 16:34:26 172.31.202.4:34112 10.200.1.2:137 172.31.202.4:34112 10.200.1.2:137 NETBIOS (NS) 59 sec. 96 102 Close - AGE OUT

So I went looking for a reason, since these sessions should not 'age out' at around the 60 second marker. Is there something behind the scenes that I am missing??

hi,

 

how do you explain that closeage out could be appear, before timer 30 min regarding a TCP session ?

 

it seems the case , for us on a cluster ISG2k.

 

regards.

Hi,

 

I would recommend to run debug and check if there are RPC mapping table hits as described in KB15038 "Sessions on Microsoft Active Directory Services Time Out Earlier Than Expected".