Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] FIN State and FIN Sequence values in a TCP Session

0

0

Article ID: KB31450 KB Last Updated: 23 Feb 2017Version: 1.0
Summary:

This article explains the FIN state and and FIN sequence at different stages of a TCP session on the firewall. 

Solution:

The FIN state varies from 0 to 2 in a TCP session depending on the status of the TCP 3-way and 4-way session closure.

FIN Sequence: sequence of the TCP FIN packet with which the closure is initiated.

4-Way closure:

Client A                        Server B
========================
[1]  FIN ------>
[2]                              <---------- ACK
[3]                              <---------- FIN   
[4]  ACK ------->                                 ----> Session timer is set to 2 seconds (All ScreenOS devices)


3-Way closure:

Client A                        Server B
========================
[1] FIN ------->
[2]                                <--------- FIN/ACK 
[3]ACK ------->                                          ---> Session timer is set to 2 seconds (All SSG devices)



At step [1], the session output on the device will look like:

SSG140-> get session id 48054
id 48054(0000bbb6), flag 08000040/0000/0001/0000, vsys id 0(Root)
policy id 1, application id 0, dip id 0, state 0
current timeout 1800, max timeout 1800 (second)
status normal, start time 1303264, duration 0
session id mask 0, app value 0
ethernet0/8(vsd 0): 192.168.1.10/49555->172.16.10.10/7047, protocol 6 session token 3 route 3
gtwy 172.16.10.10, mac 005056bd75a0, nsptn info 0, pmtu 1500
flag 801801, diff 0/0
port seq 0, subif 0, cookie 0, fin seq 0, fin state 0
ethernet0/9(vsd 0): 192.168.1.10/49555<-172.16.10.10/7047, protocol 6 session token 4 route 5
gtwy 192.168.1.10, mac 005056bdefe9, nsptn info 0, pmtu 1500
mac 005056bdefe9, nsptn info 0
flag 801800, diff 0/0
port seq 0, subif 0, cookie 0, fin seq 0, fin state 0

When the first FIN is sent by the client to the server, the FIN Sequence and FIN State remain as 0.

At step [3] of the 4-way closure, or step[2] of the 3-way closure, the session output will look like:

SSG140-> get session id 48054
id 48054(0000bbb6), flag 08000040/0000/0001/0000, vsys id 0(Root)
policy id 1, application id 0, dip id 0, state 0
current timeout 1800, max timeout 1800 (second)
status normal, start time 1303264, duration 0
session id mask 0, app value 0
ethernet0/8(vsd 0): 192.168.1.10/49555->172.16.10.10/7047, protocol 6 session token 3 route 3
gtwy 172.16.10.10, mac 005056bd75a0, nsptn info 0, pmtu 1500
flag 801801, diff 0/0
port seq 0, subif 0, cookie 0, fin seq 2243004748, fin state 2
ethernet0/9(vsd 0): 192.168.1.10/49555<-172.16.10.10/7047, protocol 6 session token 4 route 5
gtwy 192.168.1.10, mac 005056bdefe9, nsptn info 0, pmtu 1500
mac 005056bdefe9, nsptn info 0
flag 801800, diff 0/0
port seq 0, subif 0, cookie 0, fin seq 2450499006, fin state 1

FIN Sequence of both the wings at this stage are updated with the sequence numbers of the respected TCP FIN packets sent either way.

FIN State:
  • For the wing: 192.168.1.10/49555->172.16.10.10/7047, value changed to 2: This indicates that the FIN and ACK have been exchanged for this wing of the session.
  • For the wing: 192.168.1.10/49555<-172.16.10.10/7047, value changed to 1: This indicates that only the FIN has been received for this wing of the session and is waiting for the ACK.

At step [4] of 4-way closure, step [3] of the 3-way closure, the session timeout is changed and will be closed in 2 seconds on all ScreenOS devices.

SSG140-> get session id 48054
id 48054(0000bbb6), flag 88080040/0000/0001/0000, vsys id 0(Root)
policy id 1, application id 0, dip id 0, state 0
current timeout 10, max timeout 1800 (second)
status normal, start time 1303026, duration 4
session id mask 0, app value 0
ethernet0/8(vsd 0): 192.168.1.10/49555->172.16.10.10/7047, protocol 6 session token 3 route 3
gtwy 172.16.10.10, mac 005056bd75a0, nsptn info 0, pmtu 1500
flag 801801, diff 0/0
port seq 0, subif 0, cookie 0, fin seq 0, fin state 2
ethernet0/9(vsd 0): 192.168.1.10/49555<-172.16.10.10/7047, protocol 6 session token 4 route 5
gtwy 192.168.1.10, mac 005056bdefe9, nsptn info 0, pmtu 1500
mac 005056bdefe9, nsptn info 0
flag 801800, diff 0/0
port seq 0, subif 0, cookie 0, fin seq 0, fin state 2

FIN Sequence numbers are reset to 0.
FIN State: 2 for both the wings indicating that the ACK has been received for the FIN sent.

Note: In case of packets arriving on the device matching this session once it has been marked for closure, the packet would be passed but the session timeout would not be refreshed.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search