ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Session timeout problems

03.26.09   |  
‎03-26-2009 08:17 AM

I have configured a session timeout of 720min for a specific service. This Services is with other services in a group an bound to two policies.

When I have a look at the session table the timmer is not the same like in the services. And the Session brakes.

Any Ideas?


id 60529/s**,vsys 0,flag 08000040/0000/01,policy 135,time 33, dip 0
 if 6(nspflag 801801):>,6,00005e00015b,sess token 4,vlan 0,tun 0,vsd 0,route 12

Netscreen NS208 Software Version: 5.3.0r3.0 




ScreenOS Firewalls (NOT SRX)

Re: Session timeout problems

03.26.09   |  
‎03-26-2009 10:52 AM



I think you are maybe running into a known issue.

From the session, the traffic looks like its for SQL.


On 5.3, we had some issues where the the child sessions for tthe SQL were :

ScreenOS 5.3, 5.4 (until 5.4.0r5)
The child session timeout is based on the internal SQL resource timeout, which is a fixed value, unchangable by the configuration. Therefore, the child session timeout remains unchanged, even though the SQL *Net V2 service timeout can be adjusted.


For 5.4r6 and above;

The child session timeout is based on the internal SQL resource timeout, which is the same value as the SQL *Net V2 service timeout. Therefore, the child session timeout is adjustable by changing the SQL *Net V2> service timeout.


So, if you can please upgrade to latest SOS for 5.4 or above. 


You can check out the KB below :


If you do not want to upgrade AND if you are NOT using any natting, you can :

(i) Disable the SQL ALG or set "Application Ignore in the policy". EG:

set policy id 5 from "Trust" to "Untrust"  "Any-IPv4" "Any-IPv4" "SQL*Net V2" permit
set policy id 5 application "IGNORE"


(ii) If you disable the ALG or set the application ignore, you will most likely need another policy to permit the traffic for all other dynamic ports eg:


set policy from X to Y "" to "" "ANY" permit


Note that the service should be ANY to permit all ports. With this the timeout should be fixed.

****pls click the button " Accept as Solution" if my post helped to solve your problem****
ScreenOS Firewalls (NOT SRX)

Re: Session timeout problems

03.29.09   |  
‎03-29-2009 01:34 AM

I have many other ports in which the timeout does not work. it seems that if you put more than one port (all the same timeout of 720 min) in a group together the timeout goes back to 30 min.


I fixed the problem making one service with all the ports in it. I had so many ports to open that I had to make two services with timeout 720 min. But even when I made a policy with both services in the same rule (services not i a group) the firewall took the timeout of 30 min.

I had two make two policies with only one service (with different ports in it) and then it worked.