03-13-2014 01:09 PM
HI
I have a question, what happen when the firewall have a active session and need create a same session but the old session is active?, for example, the firewall have a following session
10.50.213.22 port 1020 -----> 10.65.22.15 port 515
this session is active but the server still sending connections for example
10.50.213.22 port 1021 -----> 10.65.22.15 port 515
10.50.213.22 port 1022 -----> 10.65.22.15 port 515
10.50.213.22 port 1023 -----> 10.65.22.15 port 515
10.50.213.22 port 1024 -----> 10.65.22.15 port 515
but the next connection is again
10.50.213.22 port 1020 -----> 10.65.22.15 port 515
and the firewall has an old active session, the question is what happen with the new session?
Can you help me with this?
03-13-2014 03:15 PM
Hello Fernando,
As per my understanding, until all 5 parameters for tuple values ( Src IP, Dst IP, Src-port, Dst-port, Protocol) are not same, the firewall will create a new session. For example, the firewall will create a different session for packet initiated from the same source IP to destination IP ( same protocol) with Src port 1021, 1022, 1023 etc.
If the firewall is again initiating a connection from 10.50.213.22 port 1020 -----> 10.65.22.15 port 515, and old session is still active, I hope the FW will identify as a duplicate flow and drop it.
But i have read on a TCP RFC ( not sure the RFC number:-RFC: 793, RFC: 1180 RFC: 1323) , said that, if all 65535 source ports exhausted on a system, it can consider the "time-stamp" of the TCP SYN to identify/differentiate a new session with all 5 matching tuple parameters.
Thanks
03-13-2014 03:15 PM
Hello Fernando,
As per my understanding, until all 5 parameters for tuple values ( Src IP, Dst IP, Src-port, Dst-port, Protocol) are not same, the firewall will create a new session. For example, the firewall will create a different session for packet initiated from the same source IP to destination IP ( same protocol) with Src port 1021, 1022, 1023 etc.
If the firewall is again initiating a connection from 10.50.213.22 port 1020 -----> 10.65.22.15 port 515, and old session is still active, I hope the FW will identify as a duplicate flow and drop it.
But i have read on a TCP RFC ( not sure the RFC number:-RFC: 793, RFC: 1180 RFC: 1323) , said that, if all 65535 source ports exhausted on a system, it can consider the "time-stamp" of the TCP SYN to identify/differentiate a new session with all 5 matching tuple parameters.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
