topic Re: fw ctl conntab output in General Topics

fw ctl conntab output

minhhaivietnam — Thu, 02 Dec 2021 04:29:20 GMT

Hello all,

I run this command on my firewall R80.10

fw ctl conntab -dip=10.168.39.31 -sip=10.168.75.11

And I saw the result :

<(inbound, src=[10.168.75.11,39125], dest=[10.168.39.31,5701], TCP); 23/25, rule=24, tcp state=SYN_SENT, service=343, conn modules: PSL, SeqVerifier>

The "tcp state" is SYN_SENT -> Does this mean the connection is not established because 3-step is not finished? If so, why this "not-established-connection" is still in connection table?

What is mean of 23/25? -> Does this mean "after 23s" this connection will be removed?

Thanks very much for replying me!

Re: fw ctl conntab output

PhoneBoy — Mon, 09 Sep 2019 19:49:36 GMT

Connections that are starting/ending have much shorter timeouts.
In this case, this starting connection has a timeout of 25 seconds.
The 23 refers to the number of seconds the connection has left before it is timed out.

Re: fw ctl conntab output

maheshgirnare — Mon, 17 May 2021 15:38:48 GMT

can you please help to understand below connection, how much old in hrs

<(inbound, src=[sip,27807], dest=[dip,7005], TCP); 3522/3604, rule=3468, tcp state=TCP_ESTABLISHED, service=2233, Ifncin=46, Ifnsin=28, conn modules: Authentication, FG-1>

Re: fw ctl conntab output

the_rock — Tue, 18 May 2021 00:36:31 GMT

I believe simple math there would 3600 seconds is 60 minutes, so 3522 would be 58 minutes and 42 seconds if my math is right : )

Re: fw ctl conntab output

PhoneBoy — Tue, 18 May 2021 01:45:08 GMT

That doesn't tell you how long the connection has been active, only that the entry in the connection table expires in that time.
We don't track how long the connection has been active in the state tables.

Re: fw ctl conntab output

Timothy_Hall — Tue, 18 May 2021 02:53:43 GMT

Generally the state table does not track this kind of information as Phoneboy said, however there is an exception to this if "Accounting" is enabled in the Track column of the matching rule. As a result every 10 minutes or when the connection ends (whichever is sooner), extra logging information is sent indicating various accounting statistics about the connection that will appear in the SmartConsole log card for the connection.

However in the meantime the firewall is tracking numerous bits of extra information right in the "connections" state table including how long the connection has been active, in/out bytes, when a packet associated with the connection was last seen, etc. Here is an example state table entry matching a rule that has Accounting enabled, the related fields are highlighted in red:

20:43:51 5 N/A N/A 192.0.2.100 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; : -----------------------------------(+); Direction: 0; Source: 192.0.2.1; SPort: 60738; Dest: 192.0.2.100; DPort: 22; Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Rule: 1; Timeout: 507; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 0200e8000007c800; ACT_Starttime: 17May2021 20:41:31; ACT_Segtime: 17May2021 20:41:31; ACT_Lastseen: 17May2021 20:43:51; ACT_Cliinpack: 537; ACT_Clioutpack: 0; ACT_Srvinpack: 618; ACT_Srvoutpack: 0; ACT_Cliinbyte: 0; ACT_Clioutbyte: 0; ACT_Srvinbyte: 0; ACT_Srvoutbyte: 0; Expires: 3598/3600; LastUpdateTime: 17May2021 20:43:51; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

SecureXL/sim can also track accounting information, so utilizing Accounting does not affect acceleration status of the connection.