Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Netscreen] "CLOSE_DELETE_TEMPLATE" Traffic log generated when Netscreen firewall handles ESP pass-through traffic

0

0
Article ID: KB36130 KB Last Updated: 05 Aug 2020Version: 1.0 Summary:

This article explains why the "CLOSE_DELETE_TEMPLATE" traffic log is generated when the Netscreen firewall handles ESP pass-through traffic and clarifies that this is expected behavior.

 

Symptoms:

When Netscreen firewall handles ESP pass-through traffic, it creates a parent session and a child session. The parent session gets closed when the child session is created following which the CLOSE_DELETE_TEMPLATE traffic log is reported. 

 

Cause:

Encapsulating Security Payload (ESP) is a layer 3 protocol that does not have a port number. Normally, the Netscreen firewall will create a session based on the source and destination IP address, source and destination port, and protocol number. For ESP traffic, the Netscreen firewall will calculate the port number from the Security Parameter Index (SPI) value.

Refer to KB11322 - [ScreenOS] How to interpret SPI from Passthrough ESP session to know more about how the firewall converts the SPI value to a port number.

Initially, the Netscreen firewall will create a parent session with the port number as 0. Then it will create a child session with the port number taken from the SPI values. As soon as a child session is created with the source and destination port number, the parent session will get closed. The parent session is only to refer the pass-through ESP traffic and provide a port number, which is required to build the child session with a port number based on SPI values.

For example:

>>get session
 
nat used ipv6 addr: allocated 0/maximum 32256
alloc 3/max 8064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 8061

Child session

id 8060/s**,vsys 0,flag 00001040/0800/0011/0000,policy 4,time 180, dip 0 module 0,parent 8062
if 6(nspflag 800801):12.12.1.2/6048->100.100.1.1/1909,50,0014f6e67686,sess token 4,vlan 0,tun 0,vsd 0,route 7
if 5(nspflag 880800):12.12.1.2/6048<-100.100.1.1/1909,50,0005857e0f05,sess token 3,vlan 0,tun 0,vsd 0,route 5

Parent session

id 8062/s**,vsys 0,flag 80001040/0c02/0011/0000,policy 4,time 2, dip 0 module 0,parent 8060
if 6(nspflag 800801):12.12.1.2/0->100.100.1.1/0,50,0014f6e67686,sess token 4,vlan 0,tun 0,vsd 0,route 7
if 5(nspflag 80800):12.12.1.2/0<-100.100.1.1/0,50,000000000000,sess token 3,vlan 0,tun 0,vsd 0,route 5
get log traffic
 
PID 3, from Trust to Untrust, src Any-IPv4, dst Any-IPv4, service ESP, action Permit
============================================================================================================
Date       Time       Duration Source IP        Port Destination IP   Port Service  SessionID  In Interface
Reason                Protocol Xlated Src IP    Port Xlated Dst IP    Port ID       PID        Out Interface
============================================================================================================
2018-09-26 08:49:05    0:00:01 100.100.1.1      0 12.12.1.2           0 ESP         8062       ethernet0/1
CLOSE_DELETE_TEMPLATE        50 100.100.1.1     0 12.12.1.2           0             3          ethernet0/2
2018-09-26 08:49:04    0:00:00 12.12.1.2        6048 100.100.1.1      1915 ESP      8060       ethernet0/2
Creation                     50 12.12.1.2       6048 100.100.1.1      1915          3          ethernet0/1
2018-09-26 08:49:04    0:00:00 100.100.1.1      2111 12.12.1.2        49471 ESP     8059       ethernet0/1
Creation                     50 100.100.1.1     2111 12.12.1.2        49471         3          ethernet0/2
2018-09-26 08:49:04    0:00:00 100.100.1.1      0 12.12.1.2           0 ESP         8062       ethernet0/1
Creation                     50 100.100.1.1     0 12.12.1.2           0             3          ethernet0/2

 

Solution:

No action is required because this is expected behavior on Netscreen devices. Whenever the firewall handles ESP traffic, a parent session and a child session will get created. 

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search