Clear oldest session, set session timeout



  • Hi,

    I have my session table which is reaching the max. Is there a way to decrease session timeout so that when the max number is reached i do not have unallocated session? Is there a way to clear oldest sessions in the session table when it reaches the max?

    Best Regards



  • I am correcting my self out here……normally most of the TCP connections have a timeout of 30 min and UDP connections have a timeout of 1 minute.

    You can check the same using the below commands.

    NetScreen-> get service timeout tcp port 23  >>>>>>>>>>>>>>> For Telnet it is 30 mins
      30 : port timeout (minutes)
    NetScreen-> get service timeout tcp port 80  >>>>>>>>>>>>>>> For HTTP it is 5 mins
        5 : port timeout (minutes)
    NetScreen-> get service timeout tcp port 22  >>>>>>>>>>>>>>> For SSH it is again 30 mins
      30 : port timeout (minutes)
    NetScreen-> get service timeout tcp port 53  >>>>>>>>>>>>>>> For DNS/TCP it is 30 mins
      30 : port timeout (minutes)
    NetScreen-> get service timeout udp port 53  >>>>>>>>>>>>>>> For DNS/UDP it is 1 min
        1 : port timeout (minutes)

    What is the ScreenOS version running on your device, I presume it is lower than 5.3 release.

    Default timeout value for pre-defined service “ANY” can be changed for ScreenOS version 5.3 and above.

    Prior to ScreenOS versions 5.3, the timeout value for the pre-defined service “ANY” was shown as ‘default’ and this timeout value could not be changed:

    netscreen-> get service any
    Name:      ANY
    Category:  other          ID:  0  Flag:  Pre-defined
    Transport    Src port    Dst port  ICMPtype,code  Timeout(min) Application
        0        0/65535      0/65535                      default

    In ScreenOS 5.3 and above, the actual timeout value for the pre-defined service “ANY” is displayed in minutes and this value can be changed.

    netscreen-> get service any
    Name:      ANY
    Category:  other          ID:  0  Flag:  Pre-defined
    Transport    Src port    Dst port  ICMPtype,code  Timeout(min) Application
        0        0/65535      0/65535                  30

    To change the value, enter the command:

    set service ANY timeout <nnn>        (where <nnn>: valid range 1 - 2160 or never)</nnn></nnn>



  • Good that worked for you….I was away all day in meetings could not reply earlier…

    If you wanna check the timeout values for TCP and UDP, you can check using below commands.

    get service timeout protocol tcp
    get service timeout protocol udp

    I am not sure if I am correct with the command, if not then type in get service and press tab you would come to know if it asks for protocol or something to be punched in.

    Else I can confirm the command to you by tomorrow.



  • Hi Marty,

    You are a CHAMPION!
    For the policy 128 i replace the service ANY by TEST-T (30 min) and TEST-U (5 min) yesterday.

    Set service TEST-T protocol tcp src-port 0-65535 dst-port 0-65535 timeout 30
    Set service TEST-U protocol udp src-port 0-65535 dst-port 0-65535 timeout 5

    For dst-port i used 0-65535 because sessions include both standard and non standard ports and we want to allow all traffic from the Gi-sz to untrust-sz.

    The session number decrease to 2% (from 50%) within 14hours.
    Are we sure that the ANY service has 30min as timeout for TCP and 1 min for UDP ? How to check this values (get service any just says default value).

    Best Regards



  • Coz u earlier said that you are more concerned about non-std ports……if it is DNS then it would using standard port 53 TCP/UDP.

    Create one rule using this TEST-T and TEST-U that would take care of your non-std ports and service timeout request and rest for your standard ports you can make specific rules for DNS/SSH/HTTP etc OR if you want to get rid of that create another service for dst-port 0-1024 and tweak it to your time out value what ever you feel comfortable with normally for TCP I think it is 30 mins and for UDP is 1 min.



  • You mean do this for TCP and another one for UDP and apply both to the policy; because i have both tcp and udp sessions. Like this:

    Set service TEST-T protocol tcp src-port 0-65535 dst-port 1024-65535 timeout <value>Set service TEST-U protocol udp src-port 0-65535 dst-port 1024-65535 timeout <value>Then what about request towards a DNS server for example. I mean for the dst-port why you choose range 1024-65535 instead of 0-65535 ?</value></value>



  • Then try this -

    Set service TEST protocol tcp src-port 0-65535 dst-port 1024-65535 timeout <value>And use this sevice in you policy instead of ‘Any’</value>



  • Thoses sessions are not using ony one port, i have like as much different sessions as ports. So i can even not define a single service for each port and apply it.



  • I know all that, this is the reason i am looking for a way to set a default timeout for all session using an unofficial port number.
    This is exactly my problem, because thoses sessions had very big timeouts the yremains in the table and fil it quickly.



  • Ok so you have service ‘Any’ allowed. I was kinda concerned as in the ‘get session’ output that you had pasted earlier I could see some very long timeout sessions.

    id 82748/s0*,vsys 0,flag 00200400/4000/0003,policy 128,time 5966, dip 2 module 0
    if 38(nspflag 800805):x1.x2.x3.x4/6881->79.90.136.183/59470,17,00005e00010d,sess token 24,vlan 35,tun 0,vsd 0,route 19
    if 40(nspflag 10800804):y1.y2.y3.y4/43715<-79.90.136.183/59470,17,00152ba5b021,sess token 28,vlan 40,tun 0,vsd 0,route 5

    Which means this particular session will time out after 59660 seconds which is very-very long time.

    That is quite a long time for even a stale session to timeout and get flushed from the session table what do you rekon ?

    Keep an eye on the get session at what ports are the untrusted hosts communicating there should be some specific ports at which the Internet side id talking to your DMZ side. Once you get to know that you can created a custom service for that particular port with much lesser timeout value and punch it to your current policy.

    FYI…

    The timeout for a session is displayed with the command ‘get session’.  In the ‘get session’ output, the time field is the session timeout indicator.  The time field value is in units of ticks (1 tick = 10 seconds).

    For example:

    fw> get session
    alloc 24/max 2048, alloc failed 0
    id 510/s**,vsys 0,flag 00000040/00/20,policy 320000,time 4
    3(01):x1.y.z.p/2055->p.q.r.s/514,17,000000000000,vlan 0,tun 0,vsd 0
    0(20):x1.y.z.p/2055<-p.q.r.s/514,17,000a27b0c2c0,vlan 0,tun 0,vsd 0
    id 1021/s**,vsys 0,flag 00000040/80/20,policy 1,time 180
    1(21):x1.y.z.p/32761->u.v.w.x/1100,6,00d0ba83e6a8,vlan 0,tun 0,vsd0
    3(00):x1.y.z.p/32761<-u.v.w.x/1100,6,000000000000,vlan 0,tun 0,vsd0

    The first session has a timeout of 4 ticks, or 40 seconds. The second session has a timeout of 180 ticks, or 30 minutes.



  • Here is the policy 128, it set on any

    set policy id 128 from “Gi-sz” to “Untrust-sz”  “APN1” “Any” “ANY” nat src permit
    set policy id 128

    FW(M)-> get service any
    Name:      ANY
    Category:  other          ID:  0  Flag:  Pre-defined

    Transport    Src port    Dst port  ICMPtype,code  Timeout(min|10sec*) Application
        0        0/65535      0/65535                      default

    FW(M)->



  • Thatz too small output from get session, there are only 2-3 sessions that you have pasted out here. But in this is also something sounds strange.

    1. Can you have a paste/have alook on your Policy number 128.
    2. What are the services you have allowed in Policy Number 128.
    3. Can you paste the output of “get service <service name=”">command for those particular services that are allowed in rule number 128.</service>


  • Hi,

    I can see those kind of sessions but there are using unofficial port numbers and they are different from one session to another. I can not define application and set timeout for all of them.

    I am using ISG 2000, with ScreenOS 6.1.0r7
    Here some example:

    id 82748/s0*,vsys 0,flag 00200400/4000/0003,policy 128,time 5966, dip 2 module 0
    if 38(nspflag 800805):x1.x2.x3.x4/6881->79.90.136.183/59470,17,00005e00010d,sess token 24,vlan 35,tun 0,vsd 0,route 19
    if 40(nspflag 10800804):y1.y2.y3.y4/43715<-79.90.136.183/59470,17,00152ba5b021,sess token 28,vlan 40,tun 0,vsd 0,route 5
    id 82754/s0*,vsys 0,flag 00200400/4000/0003,policy 128,time 5731, dip 2 module 0
    if 38(nspflag 800805):z1.z2.z3.z4/60142->88.9.240.241/29993,17,00005e00010d,sess token 24,vlan 35,tun 0,vsd 0,route 19
    if 40(nspflag 10800804):y1.y2.y3.y4/19799<-88.9.240.241/29993,17,00152ba5b021,sess token 28,vlan 40,tun 0,vsd 0,route 5
    id 82770/s0*,vsys 0,flag 00200400/4000/0003,policy 128,time 5800, dip 2 module 0
    if 38(nspflag 800805):x1.x2.x3.x4/6881->88.70.76.217/23941,17,00005e00010d,sess token 24,vlan 35,tun 0,vsd 0,route 19
    if 40(nspflag 10800804):z1.z2.z3.z4/30347<-88.70.76.217/23941,17,00152ba5b021,sess token 28,vlan 40,tun 0,vsd 0,route 5

    Thanks



  • Command “clear session all” wont help you as it would clear all the established sessions from the session table, which would lead to production issues.

    I feel if you check the stale sessions from you session table from the “get session” output. There can be a case some service which is having high timeout value is taking up space in your session table by simply sitting idle there. If you find any then would suggest you to reduce the timeout value for the same to some logical value which does not break your current set-up.

    Also can you tell the below details.

    1. Model of your Juniper Device.
    2. Screen OS version of your device.
    3. paste the get session output. (Hide your IP’s from it)

 

30
Online

38.4k
Users

12.7k
Topics

44.5k
Posts