ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Iglu
Posts: 69
Registered: ‎11-12-2008
0

Session timeout problems

I have configured a session timeout of 720min for a specific service. This Services is with other services in a group an bound to two policies.

When I have a look at the session table the timmer is not the same like in the services. And the Session brakes.

Any Ideas?

 

id 60529/s**,vsys 0,flag 08000040/0000/01,policy 135,time 33, dip 0
 if 6(nspflag 801801):172.26.27.112/3455->10.184.92.20/1521,6,00005e00015b,sess token 4,vlan 0,tun 0,vsd 0,route 12

Netscreen NS208 Software Version: 5.3.0r3.0 

 

regards

iglu

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 789
Registered: ‎07-26-2008

Re: Session timeout problems

Hi

 

I think you are maybe running into a known issue.

From the session, the traffic looks like its for SQL.

 

On 5.3, we had some issues where the the child sessions for tthe SQL were :

ScreenOS 5.3, 5.4 (until 5.4.0r5)
The child session timeout is based on the internal SQL resource timeout, which is a fixed value, unchangable by the configuration. Therefore, the child session timeout remains unchanged, even though the SQL *Net V2 service timeout can be adjusted.

 

For 5.4r6 and above;

The child session timeout is based on the internal SQL resource timeout, which is the same value as the SQL *Net V2 service timeout. Therefore, the child session timeout is adjustable by changing the SQL *Net V2> service timeout.

 

So, if you can please upgrade to latest SOS for 5.4 or above. 

 

You can check out the KB below :

http://kb.juniper.net/index?page=content&id=KB10206&actp=search&searchid=1238089575826

 

If you do not want to upgrade AND if you are NOT using any natting, you can :

(i) Disable the SQL ALG or set "Application Ignore in the policy". EG:

set policy id 5 from "Trust" to "Untrust"  "Any-IPv4" "Any-IPv4" "SQL*Net V2" permit
set policy id 5 application "IGNORE"

 

(ii) If you disable the ALG or set the application ignore, you will most likely need another policy to permit the traffic for all other dynamic ports eg:

 

set policy from X to Y "172.26.27.112/32" to "10.184.92.20/32" "ANY" permit

 

Note that the service should be ANY to permit all ports. With this the timeout should be fixed.

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
Iglu
Posts: 69
Registered: ‎11-12-2008
0

Re: Session timeout problems

I have many other ports in which the timeout does not work. it seems that if you put more than one port (all the same timeout of 720 min) in a group together the timeout goes back to 30 min.

 

I fixed the problem making one service with all the ports in it. I had so many ports to open that I had to make two services with timeout 720 min. But even when I made a policy with both services in the same rule (services not i a group) the firewall took the timeout of 30 min.

I had two make two policies with only one service (with different ports in it) and then it worked.

 

regards

iglu

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.