FortiGate日志中session clash-白红宇

FortiGate日志中session clash

阅读量：5978 次

发布时间：2019-06-20

本文共 2674 字，大约阅读时间需要 8 分钟。

1.出现于：FortiGate v5.0和v5.2

2.出现原因

　　Session clash messages appear in the logs when a new session is created but a conflicting similar session already exists.

　　When session clash happens, the old session will be closed and replaced by the new one. The only consequence is that it may cause some retransmissions.

3.解决

　　To monitor the sessions clashes over time, there is a counter available in following CLI output:

　　# diagnose sys session stat

　　FGVM080000031532 # diagnose sys session stat

　　misc info: session_count=27 setup_rate=0 exp_count=0 clash=1

　　memory_tension_drop=0 ephemeral=0/65536 removeable=0

　　delete=0, flush=0, dev_down=0/0

　　TCP sessions:

　　 3 in ESTABLISHED state

　　 1 in SYN_SENT state

　　firewall error stat:

　　error1=00000000

　　error2=00000000

　　error3=00000000

　　error4=00000000

　　tt=00000000

　　cont=00000000

　　ids_recv=00000000

　　url_recv=00000000

　　av_recv=00000000

　　fqdn_count=0000001c

　　tcp reset stat:

　　 syncqf=1 acceptqf=0 no-listener=559 data=0 ses=0 ips=0

　　global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0

4.例子

　　1）date=2015-09-04 time=05:54:03 logid=0100020085 type=event subtype=system level=information vd="root" logdesc="session clash" status="clash" proto=6 msg="session clash"

new_status="state=00000200 tuple-num=2 policyid=1 dir=0 act=1 hook=4 10.129.0.25:5001->10.58.2.61:5001(172.31.19.186:5001) dir=1 act=2 hook=0 10.58.2.61:5001->172.31.19.186:5001(10.129.0.25:5001)"

old_status="state=00000200 tuple-num=2 policyid=1 dir=0 act=1 hook=4 10.129.0.98:5001->10.58.2.61:5001(172.31.19.186:5001) dir=1 act=2 hook=0 10.58.2.61:5001->172.31.19.186:5001(10.129.0.98:5001)"

In this example, a session clash message is generated because the tuple (NAT_srcip, NAT_srcport, destip, destport) is the same for both source IP 10.129.0.25 and 10.129.0.98.

　　So there is no way to associate the return traffic (to 172.31.19.186:5001) to the target 10.129.0.25 or 10.129.0.98.

　　2）If in the example 1/, if the source IP 10.129.0.98 would try to establish a session on a different target IP (10.58.2.62) but with the same other characteristics (NATed_address=172.31.19.186, NAT_sport=5001, dstport=5001), this would not have generated a session clash message.

Session: 10.129.0.98:5001->10.58.2.62:5001(172.31.19.186:5001)

This is because the tuple (NAT_srcip, NAT_srcport, destip, destport) is different, the destip changes, so the srcport randomly chosen can be the same, it will not generate a session clash message.

The fact that a tuple difference allows to reuse the same NAT src port, permits the firewall to have more than 65K sessions with only one public IP used for SNAT.

转载于:https://www.cnblogs.com/xinghen1216/p/10091391.html

你可能感兴趣的文章

客户的一张表中出现重复数据，而该列由唯一键约束，重复值如何产生的呢？...