Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
minhhaivietnam
Collaborator

fw ctl conntab output

Hello all,

 

I run this command on my firewall R80.10

fw ctl conntab  -dip=10.168.39.31 -sip=10.168.75.11 

And I saw the result :

<(inbound, src=[10.168.75.11,39125], dest=[10.168.39.31,5701], TCP); 23/25, rule=24, tcp state=SYN_SENT, service=343, conn modules: PSL, SeqVerifier>

The "tcp state" is SYN_SENT -> Does this mean the connection is not established because 3-step is not finished? If so, why this "not-established-connection" is still in connection table?

What is mean of 23/25? -> Does this mean "after 23s" this connection will be removed?

 

Thanks very much for replying me!

 

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

Connections that are starting/ending have much shorter timeouts.
In this case, this starting connection has a timeout of 25 seconds.
The 23 refers to the number of seconds the connection has left before it is timed out.
0 Kudos
maheshgirnare
Explorer

can you please help to understand below connection, how much old in hrs

<(inbound, src=[sip,27807], dest=[dip,7005], TCP); 3522/3604, rule=3468, tcp state=TCP_ESTABLISHED, service=2233, Ifncin=46, Ifnsin=28, conn modules: Authentication, FG-1>

0 Kudos
the_rock
Legend
Legend

I believe simple math there would 3600 seconds is 60 minutes, so 3522 would be 58 minutes and 42 seconds if my math is right : )

0 Kudos
PhoneBoy
Admin
Admin

That doesn't tell you how long the connection has been active, only that the entry in the connection table expires in that time.
We don't track how long the connection has been active in the state tables.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Generally the state table does not track this kind of information as Phoneboy said, however there is an exception to this if "Accounting" is enabled in the Track column of the matching rule.  As a result every 10 minutes or when the connection ends (whichever is sooner), extra logging information is sent indicating various accounting statistics about the connection that will appear in the SmartConsole log card for the connection. 

However in the meantime the firewall is tracking numerous bits of extra information right in the "connections" state table including how long the connection has been active, in/out bytes, when a packet associated with the connection was last seen, etc.  Here is an example state table entry matching a rule that has Accounting enabled, the related fields are highlighted in red:

20:43:51 5 N/A N/A 192.0.2.100 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; : -----------------------------------(+); Direction: 0; Source: 192.0.2.1; SPort: 60738; Dest: 192.0.2.100; DPort: 22; Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Rule: 1; Timeout: 507; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 0200e8000007c800; ACT_Starttime: 17May2021 20:41:31; ACT_Segtime: 17May2021 20:41:31; ACT_Lastseen: 17May2021 20:43:51; ACT_Cliinpack: 537; ACT_Clioutpack: 0; ACT_Srvinpack: 618; ACT_Srvoutpack: 0; ACT_Cliinbyte: 0; ACT_Clioutbyte: 0; ACT_Srvinbyte: 0; ACT_Srvoutbyte: 0; Expires: 3598/3600; LastUpdateTime: 17May2021 20:43:51; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

SecureXL/sim can also track accounting information, so utilizing Accounting does not affect acceleration status of the connection.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events