ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Close Age Out Message

11.26.07   |  
‎11-26-2007 09:19 AM
Hello All;
i want to ask you what mean Close Age out on the Log of Policy in  netscreen FW.
is there any relation with the Time Out of the Protocol used in this policy
 
please help me to resolve this issue.
Thanks
6 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: Close Age Out Message

11.26.07   |  
‎11-26-2007 11:44 PM
Yes, this is related to the timeout of the protocol as configured for each service or protocol defaults. However, I have seen instances where age out can be shown for certain FIN 4-way close with TCP proxy involved. Is there an issue you are seeing?
ScreenOS Firewalls (NOT SRX)

Re: Close Age Out Message

11.27.07   |  
‎11-27-2007 12:23 AM
Thanks for your replay;
tell me please what mean exactly the Time Out of service? is it the time to close TCP connection when no data traffic done or the time to close connection just fot the first TCP negociation ?
it's important for me to know the exact definition of this Time out to trooblshoot some issue in my internal connection.
 
Thanks
 
 
ScreenOS Firewalls (NOT SRX)

Re: Close Age Out Message

11.28.07   |  
‎11-28-2007 11:15 AM
It depends on the protocol in use, but essentially yes it's when the underlying protocol times out (TCP, UDP, ICMP, etc.).  The session is closed when the duration of time for which no traffic has been received for a given session has elapsed.  It is not for the first TCP negotiation.  An entry is created in the session table once the session table is established and successive traffic which matches that session continually resets the timer.  See my response in the other thread for additional details.
 
Stefan Fouant
Juniper Ambassador
JNCIE-SP, JNCIE-ENT, JNCIE-SEC, JNCI, CISSP, PCNSE, VCP-DV

Check out my blog at ShortestPathFirst

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
ScreenOS Firewalls (NOT SRX)

Re: Close Age Out Message

01.29.08   |  
‎01-29-2008 03:20 PM
Stefan,
For one reason or another I created the custom service Netbios for Netbios(NS). Wait, now I recall, although the firewall will detect and block 'Netscreen (NS)' packets, there doesn't seem to be a correlating predefined entry to allow for it when making a policy. Anyway, the service is setup as:

Netbios TCP src port: 0-65535, dst port: 137-137 30 Edit Remove

As you can see, the timeout is 30 minutes, yet in my firewall I constantly see:

2008-01-29 16:34:42 172.31.202.4:34113 10.200.1.2:137 172.31.202.4:34113 10.200.1.2:137 NETBIOS (NS) 60 sec. 96 102 Close - AGE OUT
2008-01-29 16:34:26 172.31.202.4:34112 10.200.1.2:137 172.31.202.4:34112 10.200.1.2:137 NETBIOS (NS) 59 sec. 96 102 Close - AGE OUT

So I went looking for a reason, since these sessions should not 'age out' at around the 60 second marker. Is there something behind the scenes that I am missing??
ScreenOS Firewalls (NOT SRX)

Re: Close Age Out Message

[ Edited ]
02.17.12   |  
‎02-17-2012 06:13 AM

hi,

 

how do you explain that closeage out could be appear, before timer 30 min regarding a TCP session ?

 

it seems the case , for us on a cluster ISG2k.

 

regards.

ScreenOS Firewalls (NOT SRX)

Re: Close Age Out Message

02.20.12   |  
‎02-20-2012 02:08 AM

Hi,

 

I would recommend to run debug and check if there are RPC mapping table hits as described in KB15038 "Sessions on Microsoft Active Directory Services Time Out Earlier Than Expected".

 

Kind regards,
Edouard