TCP Session Stuck and only manual clear of the session id solve the issue

Reply
Highlighted
L0 Member

TCP Session Stuck and only manual clear of the session id solve the issue

Dear Community,

 

we are facing a strange behavior with a tcp flow that is meant to mount a volume on a linux server, from time to time, the session get stuck in the firewall causing an error while trying to mount the device, the topology is as follow:

 

Linux Server <-> Firewall 1 <-> Firewall 2 <-> Script Server

 

the Script server execute a backup script that mount the volume in the linux Server and start uploading the files, when no session is created in the firewall the script work perfectly but when the issue happen we see at the Firewall two a session stuck and the volume doesn't mount

 

here is the tcp info:

(active)> show session all filter source 10.X.X.X destination 10.Y.Y.Y

 

--------------------------------------------------------------------------------

ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                          Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

3146098      undecided      ACTIVE  FLOW       10.X.X.X[782]/APP/6  (10.X.X.X[782])

vsys1                                          10.Y.Y.Y[2049]/RULEX  (10.Y.Y.Y[2049])

 

(active)> show session id 3146098

Session 3146098

c2s flow:
source: 10.X.X.X [APP]
dst: 10.Y.Y.Y
proto: 6
sport: 782 dport: 2049
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown

s2c flow:
source: 10.Y.Y.Y [RULEX]
dst: 10.X.X.X
proto: 6
sport: 2049 dport: 782
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown

Slot : 1
DP : 0
index(local): : 3146098
start time : Wed Jun 24 21:03:01 2020
timeout : 120 sec
time to live : 108 sec
total byte count(c2s) : 5613888
total byte count(s2c) : 528
layer7 packet count(c2s) : 71974
layer7 packet count(s2c) : 8
vsys : vsys1
shared gateway : sg2
application : undecided
rule : RULEX
service timeout override(index) : False
application db : 0
app.id : c2s node (0, 0) s2s node (0, 0)
session to be logged at end : True
session in session ager : True
session updated by HA peer : False
layer7 processing : enabled
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : aeX.XXX
egress interface : aeY
session QoS rule : N/A (class 4)
end-reason : unknown

 

and only a clear of this session id will solve the issue, both firewalls are on version 8.1.12. no session is seen on Firewall 1 when the issue happen.

 

Thanks for your help

Regards,

Highlighted
L1 Bithead

my guess would actually be that firewall1 is the problem, as it has terminated the session, any followup ACK packets will be discarded by it

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!