Technical Tip: Multiple sessions are assigned with same session ID

gessakkiappan · ‎03-07-2021

Description
Forward traffic logs and Session output shows same session ID on multiple sessions.

This article describes this feature.

Solution
Multiple sessions on the Firewall session output and Forward traffic logs displays same session ID.

When the session is created using the Session helper, the child sessions will have the same session ID which was assigned to the parent session.

For example: If Session helper is configured for FTP protocol, all the Data channel will have the same session ID as Control channel session.

Below is the Example of an RPC session and its child sessions

RPC session.

session info: proto=6 proto_state=05 duration=402147 expire=4 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=9
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=Chennai-DR/ helper=dcerpc vlan_cos=0/255 <----- RPC ALG enabled for the session.
state=log dirty may_dirty f00
statistic(bytes/packets/allow_err): org=620/7/1 reply=452/4/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=0->0/0->0 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.59.1.251:65465->172.29.3.112:135(0.0.0.0:0)
hook=post dir=reply act=noop 172.29.3.112:135->10.59.1.251:65465(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=30 auth_info=0 chk_client_info=0 vd=0
serial=00678c12 tos=ff/ff app_list=0 app=0 url_cat=0 <----- 00678c12 is the session ID.
vwl_mbr_seq=0 vwl_service_id=0
rpdb_link_id=00000000 ngfwid=n/a
dd_type=0 dd_mode=0

Child sessions (allowed by the Session helper triggered on the above session).

session info: proto=6 proto_state=01 duration=29546 expire=3575 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=6
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=Chennai-DR/ vlan_cos=255/255
state=log intree                                                                           <----- Child session.
statistic(bytes/packets/allow_err): org=16290/158/1 reply=56899/189/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 2/0
orgin->sink: org pre->post, reply pre->post dev=32->35/35->32 gwy=172.29.3.112/10.59.1.251
hook=post dir=org act=noop 10.59.1.251:63393->172.29.3.112:63807(0.0.0.0:0)
hook=pre dir=reply act=noop 172.29.3.112:63807->10.59.1.251:63393(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=30 auth_info=0 chk_client_info=0 vd=0
serial=00678c12 tos=ff/ff app_list=0 app=0 url_cat=0                                       <----- Same session ID as parent.
vwl_mbr_seq=0 vwl_service_id=0
rpdb_link_id=00000000 ngfwid=n/a
dd_type=0 dd_mode=0

session info: proto=6 proto_state=01 duration=25 expire=3584 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=6
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=Chennai-DR/ vlan_cos=255/255
state=log intree                                                                           <----- Child session.
statistic(bytes/packets/allow_err): org=137880/1427/1 reply=3690440/2666/1 tuples=2
tx speed(Bps/kbps): 5369/42 rx speed(Bps/kbps): 143708/1149
orgin->sink: org pre->post, reply pre->post dev=32->35/35->32 gwy=172.29.3.112/10.59.1.251
hook=post dir=org act=noop 10.59.1.251:53891->172.29.3.112:49156(0.0.0.0:0)
hook=pre dir=reply act=noop 172.29.3.112:49156->10.59.1.251:53891(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=30 auth_info=0 chk_client_info=0 vd=0
serial=00678c12 tos=ff/ff app_list=0 app=0 url_cat=0                                       <----- Same session ID as parent.
vwl_mbr_seq=0 vwl_service_id=0
rpdb_link_id=00000000 ngfwid=n/a
dd_type=0 dd_mode=0
This is an Expected behavior.

Session helpers:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/300534/session-helpers

Technical Tip: Multiple sessions are assigned with same session ID

You are leaving our website