Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What is the service timeout lookup logic and how is the timeout set when a session is created?

0

0
Article ID: KB11970 KB Last Updated: 15 Dec 2017Version: 6.0 Summary:
This article provides information about the service timeout lookup logic and how the timeout is set, when a session is created. Starting with ScreenOS version 5.3.r3, the logic for service timeout lookup has changed. 
Symptoms:
Questions:
 
  • The timeout for the session is not as expected. How is the timeout set?

  • How is the timeout set when a session is created?

  • When viewing a session in the output of get session, what does ScreenOS set as the time (timeout) value to in the session:
    id 1898/s**,vsys 0,flag 00000000/0000/0001,policy 1,dip 2 module 0
    if 11(nspflag 801801):192.168.2.34/1120->66.129.225.23/443,6,00166f3e5371,sess token 4,vlan 0,tun 0,vsd 0,route 3
    if 9(nspflag 3800):68.165.2.119/1670<-66.129.225.23/443,6,000000000000,sess token 6,vlan 0,tun 0,vsd 0,route 23
Solution:

Prior to ScreenOS 5.3r3 (version 5.3r2 or earlier), the last configured service timeout was considered for overlap services, when the policy is configured with multicell or service groups.

The new logic for the service timeout lookup, when a session is created with ScreenOS 5.3r3 or later, is as follows:

  1. In the policy, if the first packet that matches is using a specified service entry other than Any, ScreenOS will directly obtain the timeout value from the service entry. For example: 
    set policy from trust to untrust any any telnet permit
    If the policy is using a service group or is a multi-cell service policy, go to step (C).

  2. In the policy, if the first packet that matches is using the Any service and its timeout value is configured by the user, ScreenOS will directly obtain the value from the Any service. For example:
    set service any timeout 20
    set policy from trust to untrust any any any permit
    Otherwise, go to step (C)

  3. ScreenOS looks up the service timeout in the service timeout table according to the destination-port.  If the port is not overlapped with multiple service timeouts, ScreenOS will directly obtain the value. If the port is overlapped, go to step (D).

  4. If the logic is at this step, it means that the policy is using a service group, with which the port is overlapped or is using the Any service; If so, go to step (E). Otherwise, ScreenOS will try to find the matched service in the group, which is referenced by the matched policy, according to the destination port.
     
    • Go through all the service entries on the group.  If ScreenOS finds a match, ScreenOS will get the service timeout value.

    • Go through each sub group and match the all the service entries in the sub group.  If ScreenOS finds a match, ScreenOS will get the service timeout value.

    Note: The service or services in the group are selected based on the alphabetic order of the service names defined and not on the last configured service timeout.

    For example:
     
    • Create services for a port range 50 to 100, with three different service names (such as Aservice, Bservice and Cservice) with the protocol TCP/UDP and ports ranging between 50 - 100, and add these services in a group or just use them as multiple services in the policy.

    • Now, target the traffic destined to port 80 to match the policy.

    • The three services that are configured will then have an overlap timeout, as port 80 is part of the range 50-100 in all the defined services.

    • In this scenario, ScreenOS selects the service timeout of Aservice, as it is the first service as per the alphabetical order.

    • It does not matter which service was added first or last.


    To check whether the service has an overlap timeout, type the following command, based on the port you are looking for. In this example, port 80 is used and the output will show it as overlap timeout:
    Test-> get service timeout tcp port 80
    overlap timeout
    If there is no overlap timeout, then you will see the following output with the exact timeout value for the service:
    Test-> get service timeout tcp port 22
    30 : port timeout (minutes)
  5. The default timeout value of a user-defined service is zero. If ScreenOS obtains a zero value for the service timeout, ScreenOS will obtain the system default service timeout value, as per the TCP or UDP protocol.

The following flow chart shows how the lookup process works:



Note: Refer to the following article for a condition that does not follow the above logic:

KB17508 - Service timeout assigned to custom services other than TCP/UDP is not working as expected

 

Modification History:
2017-12-07: Article reviewed for accuracy. No changes made. Article is correct and complete.

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search