ScreenOS Firewalls (NOT SRX)
Reply
Contributor
faycal
Posts: 50
Registered: ‎11-26-2007
0

Close Age Out Message

Hello All;
i want to ask you what mean Close Age out on the Log of Policy in  netscreen FW.
is there any relation with the Time Out of the Protocol used in this policy
 
please help me to resolve this issue.
Thanks
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: Close Age Out Message

Yes, this is related to the timeout of the protocol as configured for each service or protocol defaults. However, I have seen instances where age out can be shown for certain FIN 4-way close with TCP proxy involved. Is there an issue you are seeing?
Contributor
faycal
Posts: 50
Registered: ‎11-26-2007
0

Re: Close Age Out Message

Thanks for your replay;
tell me please what mean exactly the Time Out of service? is it the time to close TCP connection when no data traffic done or the time to close connection just fot the first TCP negociation ?
it's important for me to know the exact definition of this Time out to trooblshoot some issue in my internal connection.
 
Thanks
 
 
Recognized Expert
sfouant
Posts: 190
Registered: ‎11-28-2007
0

Re: Close Age Out Message

It depends on the protocol in use, but essentially yes it's when the underlying protocol times out (TCP, UDP, ICMP, etc.).  The session is closed when the duration of time for which no traffic has been received for a given session has elapsed.  It is not for the first TCP negotiation.  An entry is created in the session table once the session table is established and successive traffic which matches that session continually resets the timer.  See my response in the other thread for additional details.
 
Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
New User
stkrzysiak
Posts: 1
Registered: ‎01-29-2008
0

Re: Close Age Out Message

Stefan,
For one reason or another I created the custom service Netbios for Netbios(NS). Wait, now I recall, although the firewall will detect and block 'Netscreen (NS)' packets, there doesn't seem to be a correlating predefined entry to allow for it when making a policy. Anyway, the service is setup as:

Netbios TCP src port: 0-65535, dst port: 137-137 30 Edit Remove

As you can see, the timeout is 30 minutes, yet in my firewall I constantly see:

2008-01-29 16:34:42 172.31.202.4:34113 10.200.1.2:137 172.31.202.4:34113 10.200.1.2:137 NETBIOS (NS) 60 sec. 96 102 Close - AGE OUT
2008-01-29 16:34:26 172.31.202.4:34112 10.200.1.2:137 172.31.202.4:34112 10.200.1.2:137 NETBIOS (NS) 59 sec. 96 102 Close - AGE OUT

So I went looking for a reason, since these sessions should not 'age out' at around the 60 second marker. Is there something behind the scenes that I am missing??
New User
kiteboy
Posts: 2
Registered: ‎02-17-2012
0

Re: Close Age Out Message

[ Edited ]

hi,

 

how do you explain that closeage out could be appear, before timer 30 min regarding a TCP session ?

 

it seems the case , for us on a cluster ISG2k.

 

regards.

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Close Age Out Message

Hi,

 

I would recommend to run debug and check if there are RPC mapping table hits as described in KB15038 "Sessions on Microsoft Active Directory Services Time Out Earlier Than Expected".

 

Kind regards,
Edouard
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.