Session timeout/TTL expiration counter not updated?

Question

Hi,

"diag sys session list" shows this:

session info: proto=6 proto_state=01 duration=722 expire=28077 timeout=28800 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/7
state=log may_dirty npu synced none log-start
statistic(bytes/packets/allow_err): org=1031/6/1 reply=659/6/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=31->41/41->31 gwy=192.168.x.x/192.168.y.y
hook=pre dir=org act=noop 172.x.x.x:61697->192.x.x.x:1521(0.0.0.0:0)
hook=post dir=reply act=noop 192.x.x.x:1521->172.x.x.x:61697(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=4
serial=00863f17 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_mode=0
npu_state=0x003000
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=128/129, ipid=129/128, vlan=0x801e/0x801c
vlifid=129/128, vtag_in=0x001e/0x001c in_npu=1/1, out_npu=1/1, fwd_en=0/0

After that I perform some activity. I clearly see using Wireshark that the corresponding IP/port src/dest is used (PSH/ACK, etc.)

However the session expiry timer does not seem to be updated:


session info: proto=6 proto_state=01 duration=895 expire=27904 timeout=28800 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/7
state=log may_dirty npu synced none log-start
statistic(bytes/packets/allow_err): org=1031/6/1 reply=659/6/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=31->41/41->31 gwy=192.168.x.x/192.168.y.y
hook=pre dir=org act=noop 172.x.x.x:61697->192.x.x.x:1521(0.0.0.0:0)
hook=post dir=reply act=noop 192.x.x.x:1521->172.x.x.x:61697(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=4
serial=00863f17 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_mode=0
npu_state=0x003000
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=128/129, ipid=129/128, vlan=0x801e/0x801c
vlifid=129/128, vtag_in=0x001e/0x001c in_npu=1/1, out_npu=1/1, fwd_en=0/0

Why can that be?

Bye,

Marki

ede_pfau · Accepted Answer

But the FGT doesn't seem to count any traffic bytes between both snapshots. Could be a misleading status because of NP-offloading.

Does the session really expire then (you could test that after setting a lower value for the session TTL)?

ede_pfau · Answer

Nice debugging. I think the latency at the start is related to the offloading, and it's duration is relative to the TTL of that policy (apparantly >20%).

One thing missing is to check if the session really expires because of the missing reset, or if this really is a lack of timely updating the GUI or the counters. Maybe you could look into this, too. If the session expires, ongoing traffic would open a new session, so the session ID would change. Or you could directly observe a session setup in 'diag deb flow'.

IMHO Fortinet should be made aware of this, and one way would be to open a ticket. Combined with a note that either the displayed values are stale (but the TTL mechanism as such is working correctly), or there is a lack of internally updating them (which would mean a shorter TTL than specified/wanted). I'd think the former is the case.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded