This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Command: clear session id 135269 not working

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Command: clear session id 135269 not working

Go to solution
TranceforLife
L6 Presenter

‎12-08-2016 05:20 AM

Hi All,

 

Strange but cannot clear the session below. Did try from GUI first then from CLI. CLI says:  session 135269 cleared after still able to see it as active 

 

clear session.PNG

 

Any idea?

 

PAN-OS 6.1.7 PA-5050

 

Thx,

Myky

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite

‎12-08-2016 05:54 AM

@TranceforLife you can review this link that reaper put together but essentially the session id is going to keep showing the same information until it is overwritten. To verify you could run show session all filter source ip and replace IP with whatever the source IP address is to verify that the session itself isn't actually there anymore. You can replace source ip with destination ip depending on what direction this was actually going and what makes more sense on this session. 

 

 

View solution in original post

8 REPLIES 8

Go to solution
BPry
Cyber Elite
Cyber Elite

‎12-08-2016 05:54 AM

@TranceforLife you can review this link that reaper put together but essentially the session id is going to keep showing the same information until it is overwritten. To verify you could run show session all filter source ip and replace IP with whatever the source IP address is to verify that the session itself isn't actually there anymore. You can replace source ip with destination ip depending on what direction this was actually going and what makes more sense on this session. 

 

 

Go to solution
TranceforLife
L6 Presenter
In response to BPry

‎12-08-2016 05:56 AM - edited ‎12-08-2016 05:57 AM

Hmm. Nice one. Didn't know that 🙂 Thank you

0 Likes Likes

Go to solution
TranceforLife
L6 Presenter
In response to BPry

‎12-08-2016 06:08 AM

@BPry Even more interesting. Still active

 

session still there.PNG

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to TranceforLife

‎12-08-2016 06:28 AM

If it's a tunnel I would bet that it's reopening so fast that it must be taking the same session. The interseting thing is that it's keeping the same session number, one would suspect that if it's relaunching the session ID would change since you have cleared the session id from the table.

The only way that I could really see this happening is if 135269 is the last session that you have open, therefore when the tunnel brings itself back up it's just taking the session id since it's the next one available? 

0 Likes Likes

Go to solution
TranceforLife
L6 Presenter
In response to BPry

‎12-08-2016 06:36 AM - edited ‎12-08-2016 06:41 AM

@BPryCould be. What l could see that the time when session is established still Nov 8 10:28:36 2016 and TTL is decrementing)))

 

timeout : 268435455 sec
time to live : 265828673 sec

 

timeout : 268435455 sec
time to live : 265828639 sec

 

TTL.PNG

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to TranceforLife

‎12-08-2016 07:29 AM

Very interesting. I would say to try to create a deny rule in your policy list but since the session is already active that isn't going to work anyways. I'd be interested in hearing what TAC has to say about it and if they can find a way to clear it out successfully; this is a very weird issue to run into. 

0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to BPry

‎12-08-2016 07:59 AM

i'm a bit late to the party:

 

you can't clear 'tunnel' sessions for vpn tunnels configured on the firewall, those are maintained by the system and depend on ikemgr releasing the session

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
TranceforLife
L6 Presenter
In response to reaper

‎12-08-2016 08:27 AM

Hi reaper,

 

That actually answer the question. l also noticed that this tunnel session a bit different than traditional: 

 

no ingress/egress interface and TTL is very high.

 

Thanks All,

Myky

0 Likes Likes
  • 1 accepted solution
  • 3257 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks