Author Topic: Getting "Close - AGE OUT" by Traffic log  (Read 67689 times)

inderjit

  • Newbie
  • *
  • Posts: 32
  • Karma: +0/-0
    • View Profile
Getting "Close - AGE OUT" by Traffic log
« on: November 09, 2006, 02:24:09 am »
Hello,

I'm getting "Close - AGE OUT" in Traffic log by "Close Reason" column. What does this mean?

Where can I found more info about this theme?

Thanks
Inderjit
Inderjit (NCSA)

Andy Vanderbeken

  • Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
    • View Profile
Re: Getting "Close - AGE OUT" by Traffic log
« Reply #1 on: November 30, 2006, 04:58:56 am »
it simply is a new way (since latest screenos versions) to indicate that an attempt to make a tcp session was made and the other side didn't respond for a while so the session got closed since it so called "aged out". It's a normal thing and doesn't help you troubleshoot any problems really.

ben.blendeman

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Getting "Close - AGE OUT" by Traffic log
« Reply #2 on: May 21, 2007, 04:08:29 am »
I have a VPN between my NS and a Cisco VPN concentrator. I offently also recieve these "close - age out" logs in my Traffic Log.
It seems that my VPN is still up (Phase 1 and 2), but I am not able anymore to reach a device on the other side.

So I can say for 100% that the problem is on the Cisco side because I recieve the "close - age out" message? Please advise....

mindwise

  • Sr. Member
  • ****
  • Posts: 253
  • Karma: +0/-0
    • View Profile
Re: Getting "Close - AGE OUT" by Traffic log
« Reply #3 on: May 21, 2007, 06:11:09 am »
Hi,

The age out means that an active session has timed out due to no traffic flowing that would keep that session alive. (and the netscreen did not see a tcp-fin or tcp-reset for that session.)

The default timeout for mosty tcp services on the netscreen is 30 minutes (where http is 5 minutes)

That might mean you run a session like telnet but the session remained 'idle' for longer than the session time-out hence the close due to 'age-out'.

Perfectly normal though potentially unwanted behaviour that can be changed by creating a custom service for the service thats (if it is - prematurely) aged out with a larger (custom) age-out time.

Cheers,


m

ben.blendeman

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Getting "Close - AGE OUT" by Traffic log
« Reply #4 on: May 21, 2007, 06:29:38 am »
Ok I understand, but I have "set vpn "VPN_X" monitor" enabled on this tunnel and I thoughd this should keep this tunnel open....

It seems that he closes the tunnel but phase 1 and 2 seems to be active Sometimes it takes a weekend sometimes half a day so I can not say this has to be a timer or something like that

For me a VPN should be always up... Any ideas or advise

alan

  • Hero Member
  • *****
  • Posts: 796
  • Karma: +0/-0
    • View Profile
    • paleale
Re: Getting "Close - AGE OUT" by Traffic log
« Reply #5 on: May 21, 2007, 12:37:54 pm »
debug ike all

Tim Eberhard

  • Sr. Member
  • ****
  • Posts: 302
  • Karma: +0/-0
    • View Profile
Re: Getting "Close - AGE OUT" by Traffic log
« Reply #6 on: July 16, 2007, 12:25:04 am »
Hi,

The age out means that an active session has timed out due to no traffic flowing that would keep that session alive. (and the netscreen did not see a tcp-fin or tcp-reset for that session.)

The default timeout for mosty tcp services on the netscreen is 30 minutes (where http is 5 minutes)

That might mean you run a session like telnet but the session remained 'idle' for longer than the session time-out hence the close due to 'age-out'.

Perfectly normal though potentially unwanted behaviour that can be changed by creating a custom service for the service thats (if it is - prematurely) aged out with a larger (custom) age-out time.

I thought this was the case until recently. I have noticed sessions closing with "age-out" that are only a few seconds old. In many cases where a valid Tcp hand shake occurred and for some reason it's still "age-out" in the traffic logs.

I haven't had time to look at it in depth, but worth mentioning.
JNCIS-FWV, JNCIS-M, C|EH, CCSP
Author of Netscreen Session Analyzer:
http://performanceclassifieds.net/NSSA.zip
TPCAT

Frac

  • Hero Member
  • *****
  • Posts: 784
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Getting "Close - AGE OUT" by Traffic log
« Reply #7 on: July 17, 2007, 06:35:09 am »
Hi ben.blendeman,

Be sure to have the same phase 1 and phase 2 timers on both sides. This could be the problem there the cisco doesn't think the phase1/phase2 needs to be reneg.

GreetZ,
Frac
JNCIS-FWV, JNCIS-ER, JNCIA-EX, JNCIA-IDP http://juniper-frac.blogspot.com

xBin

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Getting "Close - AGE OUT" by Traffic log
« Reply #8 on: August 01, 2007, 09:51:03 pm »
Hi Frac,

I am facing this issue too. I am having Close-AGE OUT for session that are a few seconds old too. I am having the same P1 and P2 timer on both sides, and same Netscreen device on both side too. :-(

Frac

  • Hero Member
  • *****
  • Posts: 784
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Getting "Close - AGE OUT" by Traffic log
« Reply #9 on: August 02, 2007, 02:13:06 am »
Hi,

if you know which traffic it is (dest port or something), you can have a look at it with: get session dst-ip (or port or ....) and look if the timer is low. (normaly it will be 180 for tcp (which will be decreased with 1 every 10 sec (so it is 30 min in total).

GreetZ,
Frac
JNCIS-FWV, JNCIS-ER, JNCIA-EX, JNCIA-IDP http://juniper-frac.blogspot.com

xBin

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Getting "Close - AGE OUT" by Traffic log
« Reply #10 on: August 02, 2007, 10:51:29 am »
Hi Frac,

Basically i am facing the same issue as in this thread

http://www.juniperforum.com/index.php/topic,4818.0.html

I have already increase the timeout to 2 hours. So i suppose i should not see any Close-Age Out error? Please correct me if i am wrong.

Thanks

Frac

  • Hero Member
  • *****
  • Posts: 784
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Getting "Close - AGE OUT" by Traffic log
« Reply #11 on: August 03, 2007, 02:27:50 am »
Hi,

if http works but citrix doesn't it could be a policy, or the MTU size, because citrix and terminal service applications use a full packet.

so plz try this. (if ping is possible)

ping <ip> -l 1500
ping <ip> -l 1400

and lower this until the ping works.

then get this vallue and lower it a bit more (to be sure)

and do this on both firewalls.

set flow tcp-mss <vallue>
set flow path-mtu

GreetZ,
Frac
JNCIS-FWV, JNCIS-ER, JNCIA-EX, JNCIA-IDP http://juniper-frac.blogspot.com