Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
marcherren
Participant

Old session in "DST_FIN" state blocks new session

Hi all,

 

One of our customers creates a lot of SSL sessions to a server located on our infrastructure.

The FW the client uses, does handle it's hide-nat to the internet a bit strange (well, I never encountered this before 😅) it will always try to use the same source port as in the initial request of the server and only nat the ip src port randomly if the port is already used by another session.

Anyway, we now see a lot of sessions in "DST_FIN" state on our frontend firewall which are apparently all correct terminated/delete on the clients firewall (we only checked randomly some sessions). On your firewall the session counter is counting downwards from 3600s.

Now sometimes a session is dropped as it still exists in our table as "DST_FIN".

To mention is also that this behavior only showed up once we have upgraded from R77.30 to R80.20.

 

1) Can someone explain me what exactly DST_FIN means? Could not find it in the TCP state machine definition

2) If our fw detected a tcp session ending, shouldn't the 20s from the global properties apply?

Best regards,

Marc

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

You can see the various TCP states we log here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
It seems to match what you describe: TCP connection terminated only by Server side
Some packet dumps might be useful, as well as possibly a TAC case.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events