One of our customers creates a lot of SSL sessions to a server located on our infrastructure.
The FW the client uses, does handle it's hide-nat to the internet a bit strange (well, I never encountered this before 😅) it will always try to use the same source port as in the initial request of the server and only nat the ip src port randomly if the port is already used by another session.
Anyway, we now see a lot of sessions in "DST_FIN" state on our frontend firewall which are apparently all correct terminated/delete on the clients firewall (we only checked randomly some sessions). On your firewall the session counter is counting downwards from 3600s.
Now sometimes a session is dropped as it still exists in our table as "DST_FIN".
To mention is also that this behavior only showed up once we have upgraded from R77.30 to R80.20.
1) Can someone explain me what exactly DST_FIN means? Could not find it in the TCP state machine definition
2) If our fw detected a tcp session ending, shouldn't the 20s from the global properties apply?