Command: clear session id 135269 not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Command: clear session id 135269 not working

L6 Presenter

Hi All,

 

Strange but cannot clear the session below. Did try from GUI first then from CLI. CLI says:  session 135269 cleared after still able to see it as active 

 

clear session.PNG

 

Any idea?

 

PAN-OS 6.1.7 PA-5050

 

Thx,

Myky

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@TranceforLife you can review this link that reaper put together but essentially the session id is going to keep showing the same information until it is overwritten. To verify you could run show session all filter source ip and replace IP with whatever the source IP address is to verify that the session itself isn't actually there anymore. You can replace source ip with destination ip depending on what direction this was actually going and what makes more sense on this session. 

 

 

View solution in original post

8 REPLIES 8

Cyber Elite
Cyber Elite

@TranceforLife you can review this link that reaper put together but essentially the session id is going to keep showing the same information until it is overwritten. To verify you could run show session all filter source ip and replace IP with whatever the source IP address is to verify that the session itself isn't actually there anymore. You can replace source ip with destination ip depending on what direction this was actually going and what makes more sense on this session. 

 

 

Hmm. Nice one. Didn't know that 🙂 Thank you

@BPry Even more interesting. Still active

 

session still there.PNG

If it's a tunnel I would bet that it's reopening so fast that it must be taking the same session. The interseting thing is that it's keeping the same session number, one would suspect that if it's relaunching the session ID would change since you have cleared the session id from the table.

The only way that I could really see this happening is if 135269 is the last session that you have open, therefore when the tunnel brings itself back up it's just taking the session id since it's the next one available? 

@BPryCould be. What l could see that the time when session is established still Nov 8 10:28:36 2016 and TTL is decrementing)))

 

timeout : 268435455 sec
time to live : 265828673 sec

 

timeout : 268435455 sec
time to live : 265828639 sec

 

TTL.PNG

Very interesting. I would say to try to create a deny rule in your policy list but since the session is already active that isn't going to work anyways. I'd be interested in hearing what TAC has to say about it and if they can find a way to clear it out successfully; this is a very weird issue to run into. 

i'm a bit late to the party:

 

you can't clear 'tunnel' sessions for vpn tunnels configured on the firewall, those are maintained by the system and depend on ikemgr releasing the session

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi reaper,

 

That actually answer the question. l also noticed that this tunnel session a bit different than traditional: 

 

no ingress/egress interface and TTL is very high.

 

Thanks All,

Myky

  • 1 accepted solution
  • 3159 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!