Knowledge Search


×
 

[ScreenOS] Manually clearing the session does not close the socket and connection on the client and server

  [KB21096] Show Article Properties


Summary:

This article describes the issue of the non-closure of the socket and connection on the client and server, even after the session is manually cleared.

Symptoms:

Clearing the session does not clear the socket; this causes the upcoming connection to be interrupted. This happens in case of self traffic; for management traffic such as SSH, SSL, Telnet, HTTP, BGP, and Syslog the sockets are opened.

Now this results in the application to behave differently on the user machine. Most of the time the application hangs and becomes unresponsive. The application might never be able to return to normal.

See the output below:

SSG550-> get socket
Socket Type State Remote IP Port Local IP Port
0 tcp4/6 listen :: 0 :: 80
1 tcp4/6 listen :: 0 :: 443
2 tcp4/6 listen :: 0 :: 23
7 tcp open 172.27.199.197 1222 172.27.201.140 23
256 udp4/6 open :: 0 :: 500
257 udp4/6 open :: 0 :: 4500
258 udp4/6 open :: 0 :: 500
259 udp4/6 open :: 0 :: 4500


SSG550-> get session src-ip 172.27.199.197
alloc 20/max 256064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 256044
Total 1 sessions according filtering criteria.
id 256055/s**,vsys 0,flag 00000040/0080/0021/0000,policy 320002,time 178, dip 0 module 0
if 6(nspflag 800601):172.27.199.197/1222->172.27.201.140/23,6,00101863902a,sess token 4,vlan 0,tun 0,vsd 0,route 7,wsf 0
if 3(nspflag 2002010):172.27.199.197/1222<-172.27.201.140/23,6,000000000000,sess token 5,vlan 0,tun 0,vsd 0,route 0,wsf 0
Total 1 sessions shown


 SSG550-> clear session id 256055
Total cleared software sessions :1

SSG550-> get session src-ip 172.27.199.197
alloc 20/max 256064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 256044
Total 0 sessions according filtering criteria.
Total 0 sessions shown

Even after clearing the session, the socket is still in established state.
SSG550-> get soc id 7
socket 7, type tcp, state open
remote IP 172.27.199.197, port 1222, local IP 172.27.201.140, port 23, maxq 0, cnt 0, evt 0, ack_nbuf 0, snd_nbuf 0, sockp A5095B4
socket options: main 0x0, udp 0x0, raw 0x0
app type: SELF_APP_SVR_TELNET
src if: ethernet0/2
pak q: head 0, tail 0 and count 0, max delay 0 ms, deq 0, drop 0
pak q: head 0, tail 0 and count 0, max delay 0 ms, deq 0, drop 0
sock id 7(7), flag 1, mode 2, state ESTABLISH, if ethernet0/2, vsys Root
vr trust-vr
idle time 0, time wait status 0
timer status 0, retry 0/10, timeout 330
local port 23, remote port 172.27.199.197/1222
iss -292321697, mss 1380
Solution:

This is by design. When a session is cleared manually, there is no information provided to the socket about the session. To manually clear the socket, use the following command:

clear socket id x -> (where x is the socket id)

You can obtain the socket ID information by using the get socket command.

To clear a Telnet or management session, look up the TCP socket ID for the process and clear it. For example, assume that a telnet session should be deleted. To obtain a list of telnet and other management sockets, log on to the Command Line Interface and issue the following command:

fw-> get socket

Socket Type State  Remote IP       Port    Local IP      Port
0       tcp listen 0.0.0.0         0       0.0.0.0       23
2       tcp listen 0.0.0.0         0       0.0.0.0       8754
3       tcp listen 0.0.0.0         0       0.0.0.0       4444
4       tcp listen 0.0.0.0         0       0.0.0.0       1100
41      tcp open   10.10.32.110    15400   172.16.10.10  58473
57      tcp open   10.10.32.54     17410   172.16.10.10  23
61      tcp open   10.10.32.65     17439   172.16.10.10  1100
100     udp close  0.0.0.0         0       0.0.0.0       161
101     udp close 0.0.0.0          0       0.0.0.0       67

The above table lists the sockets that are connected to the firewall. In this example, the local IP is the NetScreen firewall and the sockets are connected to the 172.16.10.10 IP address. There is a socket to the 23 (Telnet) destination port from the 10.10.32.54 source IP address. To delete this socket, issue the following command:

fw-> clear socket id 57
Modification History:
2019-05-30: Non-technical, minor update.
Related Links: