Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Sessions on Microsoft Active Directory Services Time Out Earlier Than Expected

0

0

Article ID: KB15038 KB Last Updated: 25 Aug 2009Version: 1.0
Summary:
Session created that matches one of the Microsoft Active Directory services times out in 60 seconds, instead of 30 minutes.
Symptoms:

Solution:
When a session is created on the firewall, it goes through several checks.  After checking the route, zone, and policy search (finding the policy to match), it then does a RPC Mapping Table search.  The flow does this search every time a session is created.  If there is no matching RPC in the packet, the flow will respond with "RPC Mapping Table search returned 0 matched service(s)".  However, if it does return a match, it will respond with a uid number that it found, which can be cross referenced to a UUID number.  The UUID number can then be cross referenced to the actual service matched in the service table.

This is best illustrated through an example.

Assume a custom service for port 1025 is created, and the default timeout, 30 minutes, is assigned to that service.  Assume that the policy for this custom service is matched in the session.  The resulting debug flow basic will look like the following:
****** 00492.0: <Work/ethernet1> packet received [48]******
  ipid = 43358(a95e), @05a148f4
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet1:192.168.10.20/7070->172.24.192.20/1025,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet1>, out <N/A>
  chose interface ethernet1 as incoming nat if.
  flow_first_routing: in <ethernet1>, out <N/A>
  search route to (ethernet1, 192.168.10.20->172.24.192.20) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 21.route 172.24.192.20->172.24.28.1, to ethernet3
  routed (x_dst_ip 172.24.192.20) from ethernet1 (ethernet1 in 0) to ethernet3 
  policy search from zone 2-> zone 1
 policy_flow_search  policy search nat_crt from zone 2-> zone 1
  RPC Mapping Table search returned 1 matched service(s) for (vsys Root, ip 172.24.192.20, port 1025, proto 6)
first RPC service matched: uid 2147483655(0x80000007)
SW RPC Rule Table match: uid 2147483655(0x80000007), polid id 37, index 24
Permitted by policy 37 dip id = 2, 192.168.10.20/7070->172.24.28.207/1872 choose interface ethernet3 as outgoing phy if no loop on ifp ethernet3. session application type 0, name None, nas_id 0, timeout 60sec service lookup identified service 0. flow_first_final_check: in <ethernet1>, out <ethernet3>

As you can see from the debug flow output, after the policy search is done, PRC Mapping Table search returned 1 matched service(s). The first RPC service matched has uid 2147483655(0x80000007). You can find the cross referencing UUID for this with the following:
Cubicle-> get service uuid2oid-ms-rpc | i 0x80000007
52 244 0x80000007 f5cc5a18-4264-101a-8c59-08002b2f8426

The corresponding UUID is f5cc5a18-4264-101a-8c59-08002b2f8426.  The UUID for this is for the service MS-EXCHANGE-DIRECTORY.
Cubicle-> get service MS-EXCHANGE-DIRECTORY
Name: MS-EXCHANGE-DIRECTORY
Category: other ID: 0 Flag: Pre-defined


Transport UUID Timeout(min) Application
MS-RPC f5cc5a18-4264-101a-8c59-08002b2f8426 1
MS-RPC f5cc5a7c-4264-101a-8c59-08002b2f8426 1
MS-RPC f5cc59b4-4264-101a-8c59-08002b2f8426 1 

As you can see from this output, this service has a timeout of 1 min, or 60 seconds associated with it.  This confirms why the session has a timeout of 60 seconds, even though the policy matched has the service which has a timeout of 30 minutes.  The policy is still matched, but the timeout will reflect what is indicated in the RPC table.

For more details on troubleshooting of msrpc issues, please refer to KB11951 - Troubleshoot MSRPC problems on firewalls running ScreenOS

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search