Knowledge Search


×
 

[ScreenOS] "Close - AGE OUT" Traffic Log is generated when a TCP Reset packet is received

  [KB28292] Show Article Properties


Summary:

A "Close - AGE OUT" Traffic Log message is generated when a TCP RST packet is received. This is expected behavior.

Symptoms:

On an ASIC-based platform such as ISG1k/ISG2k/NS5200/NS5400, a "Close - AGE OUT" Traffic Log is generated when a TCP RST packet is received in an NS System device.

Cause:

The following test is done in ScreenOS 6.3.0r14 in ISG1000 to illustrate this issue:

ISG1000a.hk-> get conf | i flow                  
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
ISG1000a.hk-> get log traffic                    
PID 1, from Untrust to Trust, src Any, dst Any, service ANY, action Permit
============================================================================================================
Date       Time       Duration Source IP        Port Destination IP   Port Service  SessionID In Interface
Reason                Protocol Xlated Src IP    Port Xlated Dst IP    Port ID       PID       Out Interface
============================================================================================================
2013-10-02 11:57:17    0:00:26 172.27.6.10     56537 192.168.26.25      23 TELNET     524284    ethernet1/1
Close - AGE OUT               6 172.27.6.10     56537 192.168.26.25      23                 1    ethernet1/2
Total entries matched = 1

But, when set flow tcp-rst-invalid-session is configured, Close - TCP RST Traffic Log is generated:

ISG1000a.hk-> get conf | i flow
set flow tcp-rst-invalid-session
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
ISG1000a.hk-> get log traffic
PID 1, from Untrust to Trust, src Any, dst Any, service ANY, action Permit
============================================================================================================
Date       Time       Duration Source IP        Port Destination IP   Port Service  SessionID In Interface
Reason                Protocol Xlated Src IP    Port Xlated Dst IP    Port ID       PID       Out Interface
============================================================================================================
2013-10-02 11:55:53    0:00:19 172.27.6.10     52529 192.168.26.25      23 TELNET     524284    ethernet1/1
Close - TCP RST               6 172.27.6.10     52529 192.168.26.25      23                 1    ethernet1/2
Total entries matched = 1

Whereas, in an NS Appliance device, Close - TCP RST Traffic Log is generated whether or not set flow tcp-rst-invalid-session is configured:

25b-> get conf | i flow
set flow tcp-rst-invalid-session
unset flow no-tcp-seq-check
set flow tcp-syn-check
25b-> get session
alloc 1/max 32064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 32063
id 32059/s**,vsys 0,flag 08000040/0000/0001,policy 3,time 179, dip 0 module 0
 if 0(nspflag 801801):172.27.6.10/64576->192.168.26.25/23,6,7819f7aad780,sess token 4,vlan 0,tun 0,vsd 0,route 1,wsf 0
 if 6(nspflag 801800):172.27.6.10/64576<-192.168.26.25/23,6,0010dbbd4d07,sess token 6,vlan 0,tun 0,vsd 0,route 31,wsf 1
Total 1 sessions shown
25b-> get log traffic
PID 3, from Trust to Untrust, src Any, dst Any, service ANY, action Permit
==============================================================================================
Date       Time       Duration Source IP        Port Destination IP   Port Service  SessionID
Reason                         Xlated Src IP    Port Xlated Dst IP    Port ID
==============================================================================================
2013-10-03 09:01:15    0:00:21 172.27.6.10     52529 192.168.26.25      23 TELNET   32059
Close - TCP RST                172.27.6.10     52529 192.168.26.25      23
Total entries matched = 1
25b-> unset flow tcp-rst-invalid-session 
25b-> cl log traffic                     
Total entries matched = 1
25b-> get conf | i flow                  
unset flow no-tcp-seq-check
set flow tcp-syn-check
25b-> get log traffic                    
PID 3, from Trust to Untrust, src Any, dst Any, service ANY, action Permit
==============================================================================================
Date       Time       Duration Source IP        Port Destination IP   Port Service  SessionID
Reason                         Xlated Src IP    Port Xlated Dst IP    Port ID
==============================================================================================
2013-10-03 09:02:23    0:00:09 172.27.6.10     56537 192.168.26.25      23 TELNET   32059
Close - TCP RST                172.27.6.10     56537 192.168.26.25      23
Total entries matched = 1
Solution:

This is expected behavior on an ASIC-based platform; a TCP-RST packet is handled by the ASIC. As a TCP-RST packet arrives in an ASIC, NS changes the session timeout value and ages out the session in 20 seconds. The CPU does not know why the session has aged out, so the session close reason is "age out " in the Traffic Log.

When set flow tcp-rst-invalid-session is configured, a  TCP-RST packet will be sent to the CPU to close the session. In this case, the CPU knows the reason for closing the session and prints the closing reason (RST) in the Traffic Log. This is the same scenario in NS Appliances, where all packets are handled by the CPU.

Related Links: