Screen OS

Hello,

Since several weeks, i have a problem with my SSG5 router.

I have 2 VLAN (DATA and VOIP), their gateway is SSG5 router (eth2: DATA, eth3 VOIP).

In my vlan DATA, an application communicates with a PABX (in vlan VOIP) across router.

It works, but each night i lose link between these equipment (always when there is no activity).

I can look with WireShark return packet TCP [RST] (src ip PABX). 

After this packet, i lose link and i receive all-night packets [RST, ACK] (src ip PABX) on port 2050.

I suspect my SSG5 to drop packets...

My firmware version is 6.3.0r16a.

Have you an idea to resolve this problem ?

Thank you for your help.

Regards.

Charlie

Hello,

I find this KB : KB13222

I disable several parameters, but i still have the problem...

What do you think of my flow config ?

flow action flag: 0095
flow GRE outbound tcp-mss is not set
flow GRE inbound tcp-mss is not set
flow change tcp mss option for all packets is not set
flow change tcp mss option for outbound vpn packets = 1350
flow change tcp mss option for bi-directional vpn packets is not set
flow deny session disabled
TCP syn-proxy syn-cookie disabled
Log dropped packet disabled
Log auth dropped packet disabled
Allow dns reply pkt without matched request : NO
Check TCP SYN bit before create session & refresh session only after tcp 3 way h
andshake : YES
Check TCP SYN bit before create session : NO
Check TCP SYN bit before create session for tunneled packets : YES
Enable the strict SYN check: NO
Allow naked tcp reset pass through firewall: NO
Use Hub-and-Spoke policies for Untrust MIP traffic that loops on same interface
Check  unknown mac flooding : YES
Skip sequence number check in stateful inspection : NO
Drop embedded ICMP : NO
ICMP path mtu discovery : NO
ICMP time exceeded : NO
TCP RST invalidates session immediately : NO
Force packet fragment reassembly : NO
flow log info: 0.0.0.0/0->0.0.0.0/0,0
flow initial session timeout: 20 seconds
flow session cleanup time: 2 seconds
early ageout setting:
        high watermark = 100 (8064 sessions)
        low watermark  = 100 (8064 sessions)
        early ageout   = 2
        RST seq. chk OFF
MAC cache for management traffic: OFF
Fix tunnel outgoing interface: OFF
session timeout on route change is not set
reverse route setting:
        clear-text or first packet going into tunnel: prefer reverse route (defa
ult)
        first packet from tunnel: always reverse route (default)
Close session when receive ICMP error packet: YES
Passing through only one ICMP error packet: NO
Flow caches route and arp: NO
flow tcp session notification tuning value is 65536

Thank you for your help.

Charlie.

Do you know if there are keepalive settings you can enable? TCP sessions on the firewalls are by default has timeout of 30min.  So after 30min of inactivity, session is removed from the firewall.   And subsequent traffic is dropped, until a new TCP session is created (via 3-way handshake).

If this indeed is the scenario, then...

option#1 is to create a custom service with an 8-hour timeout (assuming inactivity is less than 8-hours).

option#2 is to create a custom service with timeout never (but will need to periodically monitor the firewall for stale sessions)

option#3 (not recommened) is to disable tcp-syn-check.

Hope this helps.

Regards,

Sam

Hi samc,

Thank you for your reply.

If i create custum service, i don't know if my global policy will take account of my new services with its new timeout.

Only port 2050 is a problem in direction : (trust)192.1.2.26 ==> FW [(eth0/2) --> (eth0/3)] ==>(trust)192.168.20.3.

While port 2060 comunicates in direction : (trust)192.168.20.3 ==> FW [(eth0/3) --> (eth0/2)] ==>(trust)192.1.2.26

So my last solution will be to disable tcp-syn-check 

But this morning i have captured packet with filter on my SSG5 : 

****** 553835.0: <Trust/ethernet0/2> packet received [52]******
  ipid = 28576(6fa0), @03a427f0
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/2:192.1.2.26/57006->192.168.20.3/2050,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/2>, out <N/A>
  chose interface ethernet0/2 as incoming nat if.
  flow_first_routing: in <ethernet0/2>, out <N/A>
  search route to (ethernet0/2, 192.1.2.26->192.168.20.3) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 5.route 192.168.20.3->192.168.20.3, to ethernet0/3
  routed (x_dst_ip 192.168.20.3) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/3 
  policy search from zone 2-> zone 2
 policy_flow_search  policy search nat_crt from zone 2-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.20.3, port 2050, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
  Searching global policy.
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
  Permitted by policy 320002
  No src xlate   choose interface ethernet0/3 as outgoing phy if
  no loop on ifp ethernet0/3.
  session application type 0, name None, nas_id 0, timeout 1800sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/2>, out <ethernet0/3>
  existing vector list 3-435dcdc.
  Session (id:7666) created for first pak 3
  flow_first_install_session======>
  route to 192.168.20.3
  arp entry found for 192.168.20.3
  ifp2 ethernet0/3, out_ifp ethernet0/3, flag 00800800, tunnel ffffffff, rc 1
  outgoing wing prepared, ready
  handle cleartext reverse route
  search route to (ethernet0/3, 192.168.20.3->192.1.2.26) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/2
  [ Dest] 3.route 192.1.2.26->192.1.2.26, to ethernet0/2
  route to 192.1.2.26
  arp entry found for 192.1.2.26
  ifp2 ethernet0/2, out_ifp ethernet0/2, flag 00800801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 7666
  flow_main_body_vector in ifp ethernet0/2 out ifp ethernet0/3
  flow vector index 0x3, vector addr 0x20f6a38, orig vector 0x20f6a38
  Got syn, 192.1.2.26(57006)->192.168.20.3(2050), nspflag 0x801801, 0x800800
  post addr xlation: 192.1.2.26->192.168.20.3.
  send packet to traffic shaping queue.
  flow_ip_send: 6fa0:192.1.2.26->192.168.20.3,6 => ethernet0/3(52) flag 0x20000, vlan 0
 pak has mac
  Send to ethernet0/3 (66)
****** 553835.0: <Trust/ethernet0/3> packet received [40]******
  ipid = 33005(80ed), @03a387f0
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/3:192.168.20.3/2050->192.1.2.26/57006,6, 5014(rst)<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 7666
  flow_main_body_vector in ifp ethernet0/3 out ifp N/A
  flow vector index 0x3, vector addr 0x20f6a38, orig vector 0x20f6a38
  flow_tcp_fin_vector()
  post addr xlation: 192.168.20.3->192.1.2.26.
  send packet to traffic shaping queue.
  flow_ip_send: 80ed:192.168.20.3->192.1.2.26,6 => ethernet0/2(40) flag 0x20000, vlan 0
 pak has mac
  Send to ethernet0/2 (60)
****** 553835.0: <Trust/ethernet0/2> packet received [48]******
  ipid = 28593(6fb1), @03a527f0
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/2:192.1.2.26/57006->192.168.20.3/2050,6<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 7666
  flow_main_body_vector in ifp ethernet0/2 out ifp N/A
  flow vector index 0x3, vector addr 0x20f6a38, orig vector 0x20f6a38
  Got syn, 192.1.2.26(57006)->192.168.20.3(2050), nspflag 0x801801, 0x800800
  post addr xlation: 192.1.2.26->192.168.20.3.
  send packet to traffic shaping queue.
  flow_ip_send: 6fb1:192.1.2.26->192.168.20.3,6 => ethernet0/3(48) flag 0x20000, vlan 0
 pak has mac
  Send to ethernet0/3 (62)

I can see we havn't session for 192.1.2.26 <==> 192.168.20.3 - Port 2050 but only for port 2060 :

ssg5-serial-> get session dst-ip 192.168.20.3
alloc 19/max 8064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 8045
Total 1 sessions according filtering criteria.
id 7983/s**,vsys 0,flag 08000040/0000/0001/0000,policy 320002,time 180, dip 0 module 0
 if 6(nspflag 801801):192.1.2.26/56067->192.168.20.3/2060,6,842b2b75db36,sess token 3,vlan 0,tun 0,vsd 0,route 3,wsf 0
 if 7(nspflag 801800):192.1.2.26/56067<-192.168.20.3/2060,6,0001ecff3dbb,sess token 3,vlan 0,tun 0,vsd 0,route 5,wsf 8
Total 1 sessions shown

I have a problem in my flow, but how i can revolve this...

Thank you for your help.

Charlie

Hi Charlie.

Excellent capture.

"policy search from zone 2-> zone 2"

Trust->Trust zones

"Permitted by policy 320002"

Using intra-zone permit.

" session application type 0, name None, nas_id 0, timeout 1800sec"

Using timeout of 30min.

I suggest creating a policy at the top of your ruleset... something like...

set policy from trust to trust any any tcp2060_8hours permit

And create a specific service oblect for tcp2060 with timeout of 8hours or never.

Hopefully, this will resolve your issue.

Regards,

Sam

Hi samc,

Thank you for your help.

I added policy and clear session,  i have traffic but not log..

alloc 118/max 8064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 7945
Total 2 sessions according filtering criteria.
id 7776/s**,vsys 0,flag 08000040/0000/0001/0000,policy 320002,time 180, dip 0 module 0
 if 6(nspflag 801801):192.1.2.26/57136->192.168.20.3/2060,6,842b2b75db36,sess token 3,vlan 0,tun 0,vsd 0,route 3,wsf 0
 if 7(nspflag 801800):192.1.2.26/57136<-192.168.20.3/2060,6,0001ecff3dbb,sess token 3,vlan 0,tun 0,vsd 0,route 5,wsf 8
id 8014/s**,vsys 0,flag 08000040/0000/0001/0000,policy 61,time 4326, dip 0 module 0
 if 6(nspflag 801801):192.1.2.26/57145->192.168.20.3/2050,6,842b2b75db36,sess token 3,vlan 0,tun 0,vsd 0,route 3,wsf 0
 if 7(nspflag 801800):192.1.2.26/57145<-192.168.20.3/2050,6,0001ecff3dbb,sess token 3,vlan 0,tun 0,vsd 0,route 5,wsf 8
Total 2 sessions shown

Config policy - service : 

ssg5-serial-> get policy id 61
name:"none" (id 61), zone Trust -> Trust,action Permit, status "enabled"
src "Any", dst "Any", serv "TCP_2050"
Rules on this VPN policy: 0
nat off, Web filtering : disabled
vpn unknown vpn, policy flag 00010000, session backup: on, idle reset: on
traffic shaping off, scheduler n/a, serv flag 00
log close, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 62229, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
No Authentication
No User, User Group or Group expression set

ssg5-serial-> get service TCP_2050
Name:       TCP_2050
Category:   other          ID:  0   Flag:  User-defined   Session-cache:   Disabled

Transport    Src port     Dst port   ICMPtype,code  Timeout(min|10sec*) Application
tcp           0/65535    2050/2050                       721

As you can see, time is 4326 and not 43260 (721 min). Display problem ?

If this configuration works and i use it, what is risk to remove timeout ?

Regards,

Charlie