Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
minhhaivietnam
Contributor

fw ctl conntab output

Hello all,

 

I run this command on my firewall R80.10

fw ctl conntab  -dip=10.128.33.31 -sip=10.128.73.11 

And I saw the result :

<(inbound, src=[10.128.73.11,39125], dest=[10.128.33.31,5701], TCP); 23/25, rule=24, tcp state=SYN_SENT, service=343, conn modules: PSL, SeqVerifier>

The "tcp state" is SYN_SENT -> Does this mean the connection is not established because 3-step is not finished? If so, why this "not-established-connection" is still in connection table?

What is mean of 23/25? -> Does this mean "after 23s" this connection will be removed?

 

Thanks very much for replying me!

 

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

Connections that are starting/ending have much shorter timeouts.
In this case, this starting connection has a timeout of 25 seconds.
The 23 refers to the number of seconds the connection has left before it is timed out.
0 Kudos
maheshgirnare
Explorer

can you please help to understand below connection, how much old in hrs

<(inbound, src=[sip,27807], dest=[dip,7005], TCP); 3522/3604, rule=3468, tcp state=TCP_ESTABLISHED, service=2233, Ifncin=46, Ifnsin=28, conn modules: Authentication, FG-1>

0 Kudos
the_rock
Leader
Leader

I believe simple math there would 3600 seconds is 60 minutes, so 3522 would be 58 minutes and 42 seconds if my math is right : )

0 Kudos
PhoneBoy
Admin
Admin

That doesn't tell you how long the connection has been active, only that the entry in the connection table expires in that time.
We don't track how long the connection has been active in the state tables.

0 Kudos
Timothy_Hall
Champion
Champion

Generally the state table does not track this kind of information as Phoneboy said, however there is an exception to this if "Accounting" is enabled in the Track column of the matching rule.  As a result every 10 minutes or when the connection ends (whichever is sooner), extra logging information is sent indicating various accounting statistics about the connection that will appear in the SmartConsole log card for the connection. 

However in the meantime the firewall is tracking numerous bits of extra information right in the "connections" state table including how long the connection has been active, in/out bytes, when a packet associated with the connection was last seen, etc.  Here is an example state table entry matching a rule that has Accounting enabled, the related fields are highlighted in red:

20:43:51 5 N/A N/A 192.0.2.100 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; : -----------------------------------(+); Direction: 0; Source: 192.0.2.1; SPort: 60738; Dest: 192.0.2.100; DPort: 22; Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Rule: 1; Timeout: 507; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 0200e8000007c800; ACT_Starttime: 17May2021 20:41:31; ACT_Segtime: 17May2021 20:41:31; ACT_Lastseen: 17May2021 20:43:51; ACT_Cliinpack: 537; ACT_Clioutpack: 0; ACT_Srvinpack: 618; ACT_Srvoutpack: 0; ACT_Cliinbyte: 0; ACT_Clioutbyte: 0; ACT_Srvinbyte: 0; ACT_Srvoutbyte: 0; Expires: 3598/3600; LastUpdateTime: 17May2021 20:43:51; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

SecureXL/sim can also track accounting information, so utilizing Accounting does not affect acceleration status of the connection.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos