Hi samc,
Thank you for your reply.
If i create custum service, i don't know if my global policy will take account of my new services with its new timeout.
Only port 2050 is a problem in direction : (trust)192.1.2.26 ==> FW [(eth0/2) --> (eth0/3)] ==>(trust)192.168.20.3.
While port 2060 comunicates in direction : (trust)192.168.20.3 ==> FW [(eth0/3) --> (eth0/2)] ==>(trust)192.1.2.26
So my last solution will be to disable tcp-syn-check
But this morning i have captured packet with filter on my SSG5 :
****** 553835.0: <Trust/ethernet0/2> packet received [52]******
ipid = 28576(6fa0), @03a427f0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/2:192.1.2.26/57006->192.168.20.3/2050,6<Root>
no session found
flow_first_sanity_check: in <ethernet0/2>, out <N/A>
chose interface ethernet0/2 as incoming nat if.
flow_first_routing: in <ethernet0/2>, out <N/A>
search route to (ethernet0/2, 192.1.2.26->192.168.20.3) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 5.route 192.168.20.3->192.168.20.3, to ethernet0/3
routed (x_dst_ip 192.168.20.3) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/3
policy search from zone 2-> zone 2
policy_flow_search policy search nat_crt from zone 2-> zone 2
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.20.3, port 2050, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
Searching global policy.
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
Permitted by policy 320002
No src xlate choose interface ethernet0/3 as outgoing phy if
no loop on ifp ethernet0/3.
session application type 0, name None, nas_id 0, timeout 1800sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/2>, out <ethernet0/3>
existing vector list 3-435dcdc.
Session (id:7666) created for first pak 3
flow_first_install_session======>
route to 192.168.20.3
arp entry found for 192.168.20.3
ifp2 ethernet0/3, out_ifp ethernet0/3, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/3, 192.168.20.3->192.1.2.26) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/2
[ Dest] 3.route 192.1.2.26->192.1.2.26, to ethernet0/2
route to 192.1.2.26
arp entry found for 192.1.2.26
ifp2 ethernet0/2, out_ifp ethernet0/2, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 7666
flow_main_body_vector in ifp ethernet0/2 out ifp ethernet0/3
flow vector index 0x3, vector addr 0x20f6a38, orig vector 0x20f6a38
Got syn, 192.1.2.26(57006)->192.168.20.3(2050), nspflag 0x801801, 0x800800
post addr xlation: 192.1.2.26->192.168.20.3.
send packet to traffic shaping queue.
flow_ip_send: 6fa0:192.1.2.26->192.168.20.3,6 => ethernet0/3(52) flag 0x20000, vlan 0
pak has mac
Send to ethernet0/3 (66)
****** 553835.0: <Trust/ethernet0/3> packet received [40]******
ipid = 33005(80ed), @03a387f0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/3:192.168.20.3/2050->192.1.2.26/57006,6, 5014(rst)<Root>
existing session found. sess token 3
flow got session.
flow session id 7666
flow_main_body_vector in ifp ethernet0/3 out ifp N/A
flow vector index 0x3, vector addr 0x20f6a38, orig vector 0x20f6a38
flow_tcp_fin_vector()
post addr xlation: 192.168.20.3->192.1.2.26.
send packet to traffic shaping queue.
flow_ip_send: 80ed:192.168.20.3->192.1.2.26,6 => ethernet0/2(40) flag 0x20000, vlan 0
pak has mac
Send to ethernet0/2 (60)
****** 553835.0: <Trust/ethernet0/2> packet received [48]******
ipid = 28593(6fb1), @03a527f0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/2:192.1.2.26/57006->192.168.20.3/2050,6<Root>
existing session found. sess token 3
flow got session.
flow session id 7666
flow_main_body_vector in ifp ethernet0/2 out ifp N/A
flow vector index 0x3, vector addr 0x20f6a38, orig vector 0x20f6a38
Got syn, 192.1.2.26(57006)->192.168.20.3(2050), nspflag 0x801801, 0x800800
post addr xlation: 192.1.2.26->192.168.20.3.
send packet to traffic shaping queue.
flow_ip_send: 6fb1:192.1.2.26->192.168.20.3,6 => ethernet0/3(48) flag 0x20000, vlan 0
pak has mac
Send to ethernet0/3 (62)
I can see we havn't session for 192.1.2.26 <==> 192.168.20.3 - Port 2050 but only for port 2060 :
ssg5-serial-> get session dst-ip 192.168.20.3
alloc 19/max 8064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 8045
Total 1 sessions according filtering criteria.
id 7983/s**,vsys 0,flag 08000040/0000/0001/0000,policy 320002,time 180, dip 0 module 0
if 6(nspflag 801801):192.1.2.26/56067->192.168.20.3/2060,6,842b2b75db36,sess token 3,vlan 0,tun 0,vsd 0,route 3,wsf 0
if 7(nspflag 801800):192.1.2.26/56067<-192.168.20.3/2060,6,0001ecff3dbb,sess token 3,vlan 0,tun 0,vsd 0,route 5,wsf 8
Total 1 sessions shown
I have a problem in my flow, but how i can revolve this...
Thank you for your help.
Charlie