Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Manually clearing the session does not close the socket and connection on the client and server

0

0

Article ID: KB21096 KB Last Updated: 30 May 2019Version: 4.0
Summary:

This article describes the issue of the non-closure of the socket and connection on the client and server, even after the session is manually cleared.

Symptoms:

Clearing the session does not clear the socket; this causes the upcoming connection to be interrupted. This happens in case of self traffic; for management traffic such as SSH, SSL, Telnet, HTTP, BGP, and Syslog the sockets are opened.

Now this results in the application to behave differently on the user machine. Most of the time the application hangs and becomes unresponsive. The application might never be able to return to normal.

See the output below:

SSG550-> get socket
Socket Type State Remote IP Port Local IP Port
0 tcp4/6 listen :: 0 :: 80
1 tcp4/6 listen :: 0 :: 443
2 tcp4/6 listen :: 0 :: 23
7 tcp open 172.27.199.197 1222 172.27.201.140 23
256 udp4/6 open :: 0 :: 500
257 udp4/6 open :: 0 :: 4500
258 udp4/6 open :: 0 :: 500
259 udp4/6 open :: 0 :: 4500


SSG550-> get session src-ip 172.27.199.197
alloc 20/max 256064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 256044
Total 1 sessions according filtering criteria.
id 256055/s**,vsys 0,flag 00000040/0080/0021/0000,policy 320002,time 178, dip 0 module 0
if 6(nspflag 800601):172.27.199.197/1222->172.27.201.140/23,6,00101863902a,sess token 4,vlan 0,tun 0,vsd 0,route 7,wsf 0
if 3(nspflag 2002010):172.27.199.197/1222<-172.27.201.140/23,6,000000000000,sess token 5,vlan 0,tun 0,vsd 0,route 0,wsf 0
Total 1 sessions shown


 SSG550-> clear session id 256055
Total cleared software sessions :1

SSG550-> get session src-ip 172.27.199.197
alloc 20/max 256064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 256044
Total 0 sessions according filtering criteria.
Total 0 sessions shown

Even after clearing the session, the socket is still in established state.
SSG550-> get soc id 7
socket 7, type tcp, state open
remote IP 172.27.199.197, port 1222, local IP 172.27.201.140, port 23, maxq 0, cnt 0, evt 0, ack_nbuf 0, snd_nbuf 0, sockp A5095B4
socket options: main 0x0, udp 0x0, raw 0x0
app type: SELF_APP_SVR_TELNET
src if: ethernet0/2
pak q: head 0, tail 0 and count 0, max delay 0 ms, deq 0, drop 0
pak q: head 0, tail 0 and count 0, max delay 0 ms, deq 0, drop 0
sock id 7(7), flag 1, mode 2, state ESTABLISH, if ethernet0/2, vsys Root
vr trust-vr
idle time 0, time wait status 0
timer status 0, retry 0/10, timeout 330
local port 23, remote port 172.27.199.197/1222
iss -292321697, mss 1380
Solution:

This is by design. When a session is cleared manually, there is no information provided to the socket about the session. To manually clear the socket, use the following command:

clear socket id x -> (where x is the socket id)

You can obtain the socket ID information by using the get socket command.

To clear a Telnet or management session, look up the TCP socket ID for the process and clear it. For example, assume that a telnet session should be deleted. To obtain a list of telnet and other management sockets, log on to the Command Line Interface and issue the following command:

fw-> get socket

Socket Type State  Remote IP       Port    Local IP      Port
0       tcp listen 0.0.0.0         0       0.0.0.0       23
2       tcp listen 0.0.0.0         0       0.0.0.0       8754
3       tcp listen 0.0.0.0         0       0.0.0.0       4444
4       tcp listen 0.0.0.0         0       0.0.0.0       1100
41      tcp open   10.10.32.110    15400   172.16.10.10  58473
57      tcp open   10.10.32.54     17410   172.16.10.10  23
61      tcp open   10.10.32.65     17439   172.16.10.10  1100
100     udp close  0.0.0.0         0       0.0.0.0       161
101     udp close 0.0.0.0          0       0.0.0.0       67

The above table lists the sockets that are connected to the firewall. In this example, the local IP is the NetScreen firewall and the sockets are connected to the 172.16.10.10 IP address. There is a socket to the 23 (Telnet) destination port from the 10.10.32.54 source IP address. To delete this socket, issue the following command:

fw-> clear socket id 57
Modification History:
2019-05-30: Non-technical, minor update.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search