03-26-2009 08:17 AM
I have configured a session timeout of 720min for a specific service. This Services is with other services in a group an bound to two policies.
When I have a look at the session table the timmer is not the same like in the services. And the Session brakes.
id 60529/s**,vsys 0,flag 08000040/0000/01,policy 135,time 33, dip 0
if 6(nspflag 801801):172.26.27.112/3455->10.184.92.20/1521,6,00005e00015b,sess token 4,vlan 0,tun 0,vsd 0,route 12
Netscreen NS208 Software Version: 5.3.0r3.0
03-26-2009 10:52 AM
I think you are maybe running into a known issue.
From the session, the traffic looks like its for SQL.
On 5.3, we had some issues where the the child sessions for tthe SQL were :
ScreenOS 5.3, 5.4 (until 5.4.0r5)
The child session timeout is based on the internal SQL resource timeout, which is a fixed value, unchangable by the configuration. Therefore, the child session timeout remains unchanged, even though the SQL *Net V2 service timeout can be adjusted.
For 5.4r6 and above;
The child session timeout is based on the internal SQL resource timeout, which is the same value as the SQL *Net V2 service timeout. Therefore, the child session timeout is adjustable by changing the SQL *Net V2> service timeout.
So, if you can please upgrade to latest SOS for 5.4 or above.
You can check out the KB below :
If you do not want to upgrade AND if you are NOT using any natting, you can :
(i) Disable the SQL ALG or set "Application Ignore in the policy". EG:
set policy id 5 from "Trust" to "Untrust" "Any-IPv4" "Any-IPv4" "SQL*Net V2" permit
set policy id 5 application "IGNORE"
(ii) If you disable the ALG or set the application ignore, you will most likely need another policy to permit the traffic for all other dynamic ports eg:
set policy from X to Y "172.26.27.112/32" to "10.184.92.20/32" "ANY" permit
Note that the service should be ANY to permit all ports. With this the timeout should be fixed.
03-29-2009 01:34 AM
I have many other ports in which the timeout does not work. it seems that if you put more than one port (all the same timeout of 720 min) in a group together the timeout goes back to 30 min.
I fixed the problem making one service with all the ports in it. I had so many ports to open that I had to make two services with timeout 720 min. But even when I made a policy with both services in the same rule (services not i a group) the firewall took the timeout of 30 min.
I had two make two policies with only one service (with different ports in it) and then it worked.