This article explains why the "CLOSE_DELETE_TEMPLATE" traffic log is generated when the Netscreen firewall handles ESP pass-through traffic and clarifies that this is expected behavior.
When Netscreen firewall handles ESP pass-through traffic, it creates a parent session and a child session. The parent session gets closed when the child session is created following which the CLOSE_DELETE_TEMPLATE traffic log is reported.
Encapsulating Security Payload (ESP) is a layer 3 protocol that does not have a port number. Normally, the Netscreen firewall will create a session based on the source and destination IP address, source and destination port, and protocol number. For ESP traffic, the Netscreen firewall will calculate the port number from the Security Parameter Index (SPI) value.
Refer to KB11322 - [ScreenOS] How to interpret SPI from Passthrough ESP session to know more about how the firewall converts the SPI value to a port number.
Initially, the Netscreen firewall will create a parent session with the port number as 0. Then it will create a child session with the port number taken from the SPI values. As soon as a child session is created with the source and destination port number, the parent session will get closed. The parent session is only to refer the pass-through ESP traffic and provide a port number, which is required to build the child session with a port number based on SPI values.
For example:
>>get session
nat used ipv6 addr: allocated 0/maximum 32256
alloc 3/max 8064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 8061
Child session
id 8060/s**,vsys 0,flag 00001040/0800/0011/0000,policy 4,time 180, dip 0 module 0,parent 8062
if 6(nspflag 800801):12.12.1.2/6048->100.100.1.1/1909,50,0014f6e67686,sess token 4,vlan 0,tun 0,vsd 0,route 7
if 5(nspflag 880800):12.12.1.2/6048<-100.100.1.1/1909,50,0005857e0f05,sess token 3,vlan 0,tun 0,vsd 0,route 5
Parent session
id 8062/s**,vsys 0,flag 80001040/0c02/0011/0000,policy 4,time 2, dip 0 module 0,parent 8060
if 6(nspflag 800801):12.12.1.2/0->100.100.1.1/0,50,0014f6e67686,sess token 4,vlan 0,tun 0,vsd 0,route 7
if 5(nspflag 80800):12.12.1.2/0<-100.100.1.1/0,50,000000000000,sess token 3,vlan 0,tun 0,vsd 0,route 5
get log traffic
PID 3, from Trust to Untrust, src Any-IPv4, dst Any-IPv4, service ESP, action Permit
============================================================================================================
Date Time Duration Source IP Port Destination IP Port Service SessionID In Interface
Reason Protocol Xlated Src IP Port Xlated Dst IP Port ID PID Out Interface
============================================================================================================
2018-09-26 08:49:05 0:00:01 100.100.1.1 0 12.12.1.2 0 ESP 8062 ethernet0/1
CLOSE_DELETE_TEMPLATE 50 100.100.1.1 0 12.12.1.2 0 3 ethernet0/2
2018-09-26 08:49:04 0:00:00 12.12.1.2 6048 100.100.1.1 1915 ESP 8060 ethernet0/2
Creation 50 12.12.1.2 6048 100.100.1.1 1915 3 ethernet0/1
2018-09-26 08:49:04 0:00:00 100.100.1.1 2111 12.12.1.2 49471 ESP 8059 ethernet0/1
Creation 50 100.100.1.1 2111 12.12.1.2 49471 3 ethernet0/2
2018-09-26 08:49:04 0:00:00 100.100.1.1 0 12.12.1.2 0 ESP 8062 ethernet0/1
Creation 50 100.100.1.1 0 12.12.1.2 0 3 ethernet0/2
No action is required because this is expected behavior on Netscreen devices. Whenever the firewall handles ESP traffic, a parent session and a child session will get created.