Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
yura_k
Contributor
Contributor
Jump to solution

ISP redundancy and Security Zones

Hi team!

Two 6400 appliances in the A/S cluster, Gaia R81.20 JHF41. Two ISPs (/29 subnets), Primary/Backup mode. NAT policy is made using Security Zones. Recently we faced the following situation.

When fail-over occurs, ISP from Primary ISP to Backup ISP, all outgoing ICMP requests and TCP sessions are re-established correctly. But some UDP sessions "hang" and are sourced with the address of the Primary ISP.

TAC in my case wrote that "Old connections will not change NAT by design. This as confirmed by the developer is by design  this is because the connection is recorded in the connection table."

How do I get to automatically perform UDP sessions cleanup from connections table?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

The way I understand what TAC said, it sounds like this would require an RFE.
It is possible to remove connections from the connections table (fw tab -x, I believe), but it would require some scripting to parse the connections table and figure out which ones to remove.

View solution in original post

4 Replies
PhoneBoy
Admin
Admin

The way I understand what TAC said, it sounds like this would require an RFE.
It is possible to remove connections from the connections table (fw tab -x, I believe), but it would require some scripting to parse the connections table and figure out which ones to remove.

yura_k
Contributor
Contributor

Hi! If I understand correctly, when client A sends UDP data to server B via CP, a virtual UDP session is created, which has a timeout (40 seconds by default).

If a UDP reply from server B to client A arrives, is it a second virtual session, which is in no way linked to the first virtual session?

PhoneBoy
Admin
Admin

If that reply comes within 40 seconds, it's considered part of the same session.

0 Kudos
the_rock
Legend
Legend

If TAC confirmed it and developer said the same, then what @PhoneBoy advised makes total sense. Sounds like RFE to me.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events