No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


A server of Network Market Makers RSH application abnormal interrupted exception analysis report

Publication Date:  2012-09-19 Views:  2 Downloads:  0
Issue Description
RSH client established a link with RSH(TCP),then server sent ALARM message to client
But,after once RSH established successful 10s,TCP is interrupted,business is down,try several times is the same phenomenon
Alarm Information
Handling Process
For RSH application business characteristic,we can solve this problems by close state detecte of firewall
Root Cause
        IP:   Source address =, imep3
IP:   Destination address =,
IP:   No options
TCP:  ----- TCP Header -----
TCP:  Source port = 983
TCP:  Destination port = 514 (RSHELL)
TCP:  Sequence number = 2569436765
TCP:  Acknowledgement number = 3982009346
TCP:  Data offset = 20 bytes
TCP:  Flags = 0x11
TCP:        0... .... = No ECN congestion window reduced
TCP:        .0.. .... = No ECN echo
TCP:        ..0. .... = No urgent pointer
TCP:        ...1 .... = Acknowledgement
TCP:        .... 0... = No push
TCP:        .... .0.. = No reset
TCP:        .... ..0. = No Syn
TCP:        .... ...1 = Fin
TCP:  Window = 49640
TCP:  Checksum = 0x8741
TCP:  Urgent pointer = 0
TCP:  No options
This process is normal mechanism of RSH application,because the aim of this application is client monitor server alarm information,once the server generating a alarm information,then sent to the server at once,but the server have no use for answer this message,so this application is just the server sent messages to cilnet for one direction,after established TCP links,is more safer to close the half links of client to server
After firewall receive FIN message,deal with TCP dialog normally,refurbish aging time of TCP dialog as fin-rst timeout aging time,10s。although configure a long link for ip address of cilnet in firewall,but this configure of long link has no effect   
HRP_M[ZJHZ-PS-WGDCN-FW26-BJ5F/ZC]disp firewall session table  ver source inside
  tcp, (vpn: public -> public)
  zone: trust -> untrust   tag: 86000002
  ttl: 00:00:10  left: 00:00:7  Id: 20411
  <-- packets:0 bytes:0   --> packets:0 bytes:0>

so,after 10s,this TCP SESSION is ageing,business is interrupted
After state-inspection of firewall closedown,firewall can not configure NAT,and can not configure attack defense application too
At the same time,more of session aging time of firewall turn to 30s automatically
       < Eudemon >disp firewall session aging-time 
dht timeout:                 5
dns timeout:                30
esp timeout:                30
fragment timeout:           10
fin-rst timeout:            30
ftp timeout:                30
ftp-data timeout:           30
gre timeout:                30
gtp timeout:                30
h225 timeout:               30
h245 timeout:               30
h323-rtp timeout:           30
h323-rtcp timeout:          30
h323-t120 timeout:          30
http timeout:               30
hwcc timeout:               30
icmp timeout:               20
ils timeout:                30
mgcp timeout:               30
mgcp-rtp timeout:           30
mgcp-rtcp timeout:          30
mms timeout:               600
mms-data timeout:          240           
netbios-data timeout:       30
netbios-name timeout:       30
netbios-session timeout:    30
pptp timeout:               30
QQ timeout:                 30
ras timeout:                30
rtp timeout:                30
rtcp timeout:               30
rtsp timeout:               30
sip timeout:                30
sip-rtp timeout:            30
sip-rtcp timeout:           30
smtp timeout:               30
sqlnet timeout:             30
sqlnet-data timeout:        30
rpc timeout:                 30
rpc-data timeout:                 30
stun timeout:                 30
syn timeout:                 5
tcp timeout:                30
udp timeout:                30
So, for some business with few alternation message,need configure long connect