Re: fw ctl conntab output

minhhaivietnam · ‎2019-09-08

Hello all,

I run this command on my firewall R80.10

fw ctl conntab -dip=10.168.39.31 -sip=10.168.75.11

And I saw the result :

<(inbound, src=[10.168.75.11,39125], dest=[10.168.39.31,5701], TCP); 23/25, rule=24, tcp state=SYN_SENT, service=343, conn modules: PSL, SeqVerifier>

The "tcp state" is SYN_SENT -> Does this mean the connection is not established because 3-step is not finished? If so, why this "not-established-connection" is still in connection table?

What is mean of 23/25? -> Does this mean "after 23s" this connection will be removed?

Thanks very much for replying me!

PhoneBoy · ‎2019-09-09

Connections that are starting/ending have much shorter timeouts.
In this case, this starting connection has a timeout of 25 seconds.
The 23 refers to the number of seconds the connection has left before it is timed out.

maheshgirnare · ‎2021-05-17

can you please help to understand below connection, how much old in hrs

<(inbound, src=[sip,27807], dest=[dip,7005], TCP); 3522/3604, rule=3468, tcp state=TCP_ESTABLISHED, service=2233, Ifncin=46, Ifnsin=28, conn modules: Authentication, FG-1>

the_rock · ‎2021-05-17

I believe simple math there would 3600 seconds is 60 minutes, so 3522 would be 58 minutes and 42 seconds if my math is right : )

Best,
Andy

PhoneBoy · ‎2021-05-17

That doesn't tell you how long the connection has been active, only that the entry in the connection table expires in that time.
We don't track how long the connection has been active in the state tables.

Timothy_Hall · ‎2021-05-17

Generally the state table does not track this kind of information as Phoneboy said, however there is an exception to this if "Accounting" is enabled in the Track column of the matching rule. As a result every 10 minutes or when the connection ends (whichever is sooner), extra logging information is sent indicating various accounting statistics about the connection that will appear in the SmartConsole log card for the connection.

However in the meantime the firewall is tracking numerous bits of extra information right in the "connections" state table including how long the connection has been active, in/out bytes, when a packet associated with the connection was last seen, etc. Here is an example state table entry matching a rule that has Accounting enabled, the related fields are highlighted in red:

20:43:51 5 N/A N/A 192.0.2.100 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; : -----------------------------------(+); Direction: 0; Source: 192.0.2.1; SPort: 60738; Dest: 192.0.2.100; DPort: 22; Protocol: tcp; CPTFMT_sep: ;; Type: 114689; Rule: 1; Timeout: 507; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 0200e8000007c800; ACT_Starttime: 17May2021 20:41:31; ACT_Segtime: 17May2021 20:41:31; ACT_Lastseen: 17May2021 20:43:51; ACT_Cliinpack: 537; ACT_Clioutpack: 0; ACT_Srvinpack: 618; ACT_Srvoutpack: 0; ACT_Cliinbyte: 0; ACT_Clioutbyte: 0; ACT_Srvinbyte: 0; ACT_Srvoutbyte: 0; Expires: 3598/3600; LastUpdateTime: 17May2021 20:43:51; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

SecureXL/sim can also track accounting information, so utilizing Accounting does not affect acceleration status of the connection.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Are you a member of CheckMates?

fw ctl conntab output