Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Close Age Out Message

    Posted 11-26-2007 09:20
    Hello All;
    i want to ask you what mean Close Age out on the Log of Policy in  netscreen FW.
    is there any relation with the Time Out of the Protocol used in this policy
     
    please help me to resolve this issue.
    Thanks

    #policy
    #age
    #timeout
    #close
    #out
    #log


  • 2.  RE: Close Age Out Message

    Posted 11-26-2007 23:44
    Yes, this is related to the timeout of the protocol as configured for each service or protocol defaults. However, I have seen instances where age out can be shown for certain FIN 4-way close with TCP proxy involved. Is there an issue you are seeing?


  • 3.  RE: Close Age Out Message

    Posted 11-27-2007 00:24
    Thanks for your replay;
    tell me please what mean exactly the Time Out of service? is it the time to close TCP connection when no data traffic done or the time to close connection just fot the first TCP negociation ?
    it's important for me to know the exact definition of this Time out to trooblshoot some issue in my internal connection.
     
    Thanks
     
     


  • 4.  RE: Close Age Out Message

    Posted 11-28-2007 11:16
    It depends on the protocol in use, but essentially yes it's when the underlying protocol times out (TCP, UDP, ICMP, etc.).  The session is closed when the duration of time for which no traffic has been received for a given session has elapsed.  It is not for the first TCP negotiation.  An entry is created in the session table once the session table is established and successive traffic which matches that session continually resets the timer.  See my response in the other thread for additional details.
     


  • 5.  RE: Close Age Out Message

    Posted 01-29-2008 15:21
    Stefan,
    For one reason or another I created the custom service Netbios for Netbios(NS). Wait, now I recall, although the firewall will detect and block 'Netscreen (NS)' packets, there doesn't seem to be a correlating predefined entry to allow for it when making a policy. Anyway, the service is setup as:

    Netbios TCP src port: 0-65535, dst port: 137-137 30 Edit Remove

    As you can see, the timeout is 30 minutes, yet in my firewall I constantly see:

    2008-01-29 16:34:42 172.31.202.4:34113 10.200.1.2:137 172.31.202.4:34113 10.200.1.2:137 NETBIOS (NS) 60 sec. 96 102 Close - AGE OUT
    2008-01-29 16:34:26 172.31.202.4:34112 10.200.1.2:137 172.31.202.4:34112 10.200.1.2:137 NETBIOS (NS) 59 sec. 96 102 Close - AGE OUT

    So I went looking for a reason, since these sessions should not 'age out' at around the 60 second marker. Is there something behind the scenes that I am missing??


  • 6.  RE: Close Age Out Message

    Posted 02-17-2012 06:14

    hi,

     

    how do you explain that closeage out could be appear, before timer 30 min regarding a TCP session ?

     

    it seems the case , for us on a cluster ISG2k.

     

    regards.



  • 7.  RE: Close Age Out Message

    Posted 02-20-2012 02:09

    Hi,

     

    I would recommend to run debug and check if there are RPC mapping table hits as described in KB15038 "Sessions on Microsoft Active Directory Services Time Out Earlier Than Expected".