Getting "Close - AGE OUT" by Traffic log



  • Hello,

    I’m getting “Close - AGE OUT” in Traffic log by “Close Reason” column. What does this mean?

    Where can I found more info about this theme?

    Thanks
    Inderjit


  • Engineer

    Hi,

    if http works but citrix doesn’t it could be a policy, or the MTU size, because citrix and terminal service applications use a full packet.

    so plz try this. (if ping is possible)

    ping <ip>-l 1500
    ping <ip>-l 1400

    and lower this until the ping works.

    then get this vallue and lower it a bit more (to be sure)

    and do this on both firewalls.

    set flow tcp-mss <vallue>set flow path-mtu

    GreetZ,
    Frac</vallue></ip></ip>



  • Hi Frac,

    Basically i am facing the same issue as in this thread

    http://www.juniperforum.com/index.php/topic,4818.0.html

    I have already increase the timeout to 2 hours. So i suppose i should not see any Close-Age Out error? Please correct me if i am wrong.

    Thanks


  • Engineer

    Hi,

    if you know which traffic it is (dest port or something), you can have a look at it with: get session dst-ip (or port or ….) and look if the timer is low. (normaly it will be 180 for tcp (which will be decreased with 1 every 10 sec (so it is 30 min in total).

    GreetZ,
    Frac



  • Hi Frac,

    I am facing this issue too. I am having Close-AGE OUT for session that are a few seconds old too. I am having the same P1 and P2 timer on both sides, and same Netscreen device on both side too. 😞


  • Engineer

    Hi ben.blendeman,

    Be sure to have the same phase 1 and phase 2 timers on both sides. This could be the problem there the cisco doesn’t think the phase1/phase2 needs to be reneg.

    GreetZ,
    Frac


  • Engineer

    @mindwise:

    Hi,

    The age out means that an active session has timed out due to no traffic flowing that would keep that session alive. (and the netscreen did not see a tcp-fin or tcp-reset for that session.)

    The default timeout for mosty tcp services on the netscreen is 30 minutes (where http is 5 minutes)

    That might mean you run a session like telnet but the session remained ‘idle’ for longer than the session time-out hence the close due to ‘age-out’.

    Perfectly normal though potentially unwanted behaviour that can be changed by creating a custom service for the service thats (if it is - prematurely) aged out with a larger (custom) age-out time.

    I thought this was the case until recently. I have noticed sessions closing with “age-out” that are only a few seconds old. In many cases where a valid Tcp hand shake occurred and for some reason it’s still “age-out” in the traffic logs.

    I haven’t had time to look at it in depth, but worth mentioning.



  • debug ike all



  • Ok I understand, but I have “set vpn “VPN_X” monitor” enabled on this tunnel and I thoughd this should keep this tunnel open….

    It seems that he closes the tunnel but phase 1 and 2 seems to be active Sometimes it takes a weekend sometimes half a day so I can not say this has to be a timer or something like that

    For me a VPN should be always up… Any ideas or advise



  • Hi,

    The age out means that an active session has timed out due to no traffic flowing that would keep that session alive. (and the netscreen did not see a tcp-fin or tcp-reset for that session.)

    The default timeout for mosty tcp services on the netscreen is 30 minutes (where http is 5 minutes)

    That might mean you run a session like telnet but the session remained ‘idle’ for longer than the session time-out hence the close due to ‘age-out’.

    Perfectly normal though potentially unwanted behaviour that can be changed by creating a custom service for the service thats (if it is - prematurely) aged out with a larger (custom) age-out time.

    Cheers,

    m



  • I have a VPN between my NS and a Cisco VPN concentrator. I offently also recieve these “close - age out” logs in my Traffic Log.
    It seems that my VPN is still up (Phase 1 and 2), but I am not able anymore to reach a device on the other side.

    So I can say for 100% that the problem is on the Cisco side because I recieve the “close - age out” message? Please advise….



  • it simply is a new way (since latest screenos versions) to indicate that an attempt to make a tcp session was made and the other side didn’t respond for a while so the session got closed since it so called “aged out”. It’s a normal thing and doesn’t help you troubleshoot any problems really.


 

30
Online

38.4k
Users

12.7k
Topics

44.5k
Posts