New Sessions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

New Sessions

L2 Linker

HI

I have a question, what happen when the firewall have a active session and need create a same session but the old session is active?, for example, the firewall have a following session

10.50.213.22 port 1020 -----> 10.65.22.15 port 515

this session is active but the server still sending connections for example

10.50.213.22 port 1021 -----> 10.65.22.15 port 515

10.50.213.22 port 1022 -----> 10.65.22.15 port 515

10.50.213.22 port 1023 -----> 10.65.22.15 port 515

10.50.213.22 port 1024 -----> 10.65.22.15 port 515

but the next connection is again

10.50.213.22 port 1020 -----> 10.65.22.15 port 515

and the firewall has an old active session, the question is what happen with the new session?

Can you help me with this?

1 accepted solution

Accepted Solutions

L7 Applicator

Hello Fernando,

As per my understanding, until all 5 parameters for tuple values ( Src IP, Dst IP, Src-port, Dst-port, Protocol) are not same, the firewall will create a new session. For example, the firewall will create a different session for packet initiated  from the same source IP to destination IP ( same protocol) with Src port 1021, 1022, 1023 etc.

If the firewall is again initiating a connection from 10.50.213.22 port 1020 -----> 10.65.22.15 port 515, and old session is still active, I hope the FW will identify as a duplicate flow and drop it.

But i have read on a TCP RFC ( not sure the RFC number:-RFC: 793, RFC: 1180 RFC: 1323) , said that, if all 65535 source ports exhausted on a system, it can consider the "time-stamp" of the TCP SYN to identify/differentiate a new session with all 5 matching tuple parameters.

Thanks

View solution in original post

1 REPLY 1

L7 Applicator

Hello Fernando,

As per my understanding, until all 5 parameters for tuple values ( Src IP, Dst IP, Src-port, Dst-port, Protocol) are not same, the firewall will create a new session. For example, the firewall will create a different session for packet initiated  from the same source IP to destination IP ( same protocol) with Src port 1021, 1022, 1023 etc.

If the firewall is again initiating a connection from 10.50.213.22 port 1020 -----> 10.65.22.15 port 515, and old session is still active, I hope the FW will identify as a duplicate flow and drop it.

But i have read on a TCP RFC ( not sure the RFC number:-RFC: 793, RFC: 1180 RFC: 1323) , said that, if all 65535 source ports exhausted on a system, it can consider the "time-stamp" of the TCP SYN to identify/differentiate a new session with all 5 matching tuple parameters.

Thanks

  • 1 accepted solution
  • 2596 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!