Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] [ScreenOS] Manually clearing the session does not close the socket and connection on the client and server



Article ID: KB21096 KB Last Updated: 18 Mar 2021Version: 6.0
Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE). 
Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
  This article describes the issue of the non-closure of the socket and connection on the client and server, even after the session is manually cleared.

Clearing the session does not clear the socket; this causes the upcoming connection to be interrupted. This happens in case of self traffic; for management traffic such as SSH, SSL, Telnet, HTTP, BGP, and Syslog the sockets are opened.

Now this results in the application to behave differently on the user machine. Most of the time the application hangs and becomes unresponsive. The application might never be able to return to normal.

See the output below:

SSG550-> get socket
Socket Type State Remote IP Port Local IP Port
0 tcp4/6 listen :: 0 :: 80
1 tcp4/6 listen :: 0 :: 443
2 tcp4/6 listen :: 0 :: 23
7 tcp open 1222 23
256 udp4/6 open :: 0 :: 500
257 udp4/6 open :: 0 :: 4500
258 udp4/6 open :: 0 :: 500
259 udp4/6 open :: 0 :: 4500

SSG550-> get session src-ip
alloc 20/max 256064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 256044
Total 1 sessions according filtering criteria.
id 256055/s**,vsys 0,flag 00000040/0080/0021/0000,policy 320002,time 178, dip 0 module 0
if 6(nspflag 800601):>,6,00101863902a,sess token 4,vlan 0,tun 0,vsd 0,route 7,wsf 0
if 3(nspflag 2002010):<-,6,000000000000,sess token 5,vlan 0,tun 0,vsd 0,route 0,wsf 0
Total 1 sessions shown

 SSG550-> clear session id 256055
Total cleared software sessions :1

SSG550-> get session src-ip
alloc 20/max 256064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 256044
Total 0 sessions according filtering criteria.
Total 0 sessions shown

Even after clearing the session, the socket is still in established state.
SSG550-> get soc id 7
socket 7, type tcp, state open
remote IP, port 1222, local IP, port 23, maxq 0, cnt 0, evt 0, ack_nbuf 0, snd_nbuf 0, sockp A5095B4
socket options: main 0x0, udp 0x0, raw 0x0
src if: ethernet0/2
pak q: head 0, tail 0 and count 0, max delay 0 ms, deq 0, drop 0
pak q: head 0, tail 0 and count 0, max delay 0 ms, deq 0, drop 0
sock id 7(7), flag 1, mode 2, state ESTABLISH, if ethernet0/2, vsys Root
vr trust-vr
idle time 0, time wait status 0
timer status 0, retry 0/10, timeout 330
local port 23, remote port
iss -292321697, mss 1380

This is by design. When a session is cleared manually, there is no information provided to the socket about the session. To manually clear the socket, use the following command:

clear socket id x -> (where x is the socket id)

You can obtain the socket ID information by using the get socket command.

To clear a Telnet or management session, look up the TCP socket ID for the process and clear it. For example, assume that a telnet session should be deleted. To obtain a list of telnet and other management sockets, log on to the Command Line Interface and issue the following command:

fw-> get socket

Socket Type State  Remote IP       Port    Local IP      Port
0       tcp listen         0       23
2       tcp listen         0       8754
3       tcp listen         0       4444
4       tcp listen         0       1100
41      tcp open    15400  58473
57      tcp open     17410  23
61      tcp open     17439  1100
100     udp close         0       161
101     udp close          0       67

The above table lists the sockets that are connected to the firewall. In this example, the local IP is the NetScreen firewall and the sockets are connected to the IP address. There is a socket to the 23 (Telnet) destination port from the source IP address. To delete this socket, issue the following command:

fw-> clear socket id 57
Modification History:
2021-03-13: Removed EOL devices
2020-03-18: Added [EOL/EOS] to title, and added EOL note in summary.
2019-05-30: Non-technical, minor update.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search