cancel
Showing results for 
Search instead for 
Did you mean: 

Connection closed on logs, but still receiving traffic from the IP on the FW

SOLVED
Highlighted
New Contributor

Connection closed on logs, but still receiving traffic from the IP on the FW

Hello All,

 

Does message NWC30993 which is "Closed connection to x.x.x.x after 734 seconds, with 2783959 bytes read and 3070219 bytes written" really means that the connection is closed ?

 

As I can see in some cases the same IP with the closed session still sending traffic on the FW for more than 10 mins after this log and no any logs for new session on the pulse secure about it.

I even doubled checked that no other user is using the same ip.

 

And in another situation I was filtering on my user account on pulse secure logs and I found the below logs, after I closed the connection at 17:01 I can see another log session timed out after about 35 mins, So how come the session timed out after it has been closed ?

 

 

InfoAUT228862020-04-09 17:36:34 - xxx- Session timed out for xx(session:00000000) due to inactivity (last access at 17:01:03 2020/04/09). Idle session identified during routine system scan.
InfoNWC309932020-04-09 17:01:03 - xxx- Closed connection to x.x.x.x after 644 seconds, with 289925 bytes read and 1309713 bytes written
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Moderator

Re: Connection closed on logs, but still receiving traffic from the IP on the FW

@Maarouf That's a good question. Normally, VPN server is capable of having two type of sessions i.e. a plain user session (one you will see after successful authentication) and a tunnel session (after assigning tunnel IP address). Tricky thing is that the Pulse Client is capable of different disconnect messages at different situations,

 

Disconnect with logoff i.e. complete tear down - Which tells the VPN server to close both user session and tunnel session.

 

Disconnect without logoff i.e. partial tear down -  Which tells the VPN server to keep the user session but close the tunnel session i.e. remove the IP address assignment but keep the session active. This behavior would be seen if the Pulse Client disconnects the session based on predefined conditions like Location awareness rules.

 

In your case, session timeout was happened for the user session but the actual tunnel session was closed prior to that. Hope this clarifies your query.

 

Thank you,

Ray.

PCS Expert
Pulse Connect Secure Certified Expert

View solution in original post

2 REPLIES 2
Highlighted
Moderator

Re: Connection closed on logs, but still receiving traffic from the IP on the FW

@Maarouf That's a good question. Normally, VPN server is capable of having two type of sessions i.e. a plain user session (one you will see after successful authentication) and a tunnel session (after assigning tunnel IP address). Tricky thing is that the Pulse Client is capable of different disconnect messages at different situations,

 

Disconnect with logoff i.e. complete tear down - Which tells the VPN server to close both user session and tunnel session.

 

Disconnect without logoff i.e. partial tear down -  Which tells the VPN server to keep the user session but close the tunnel session i.e. remove the IP address assignment but keep the session active. This behavior would be seen if the Pulse Client disconnects the session based on predefined conditions like Location awareness rules.

 

In your case, session timeout was happened for the user session but the actual tunnel session was closed prior to that. Hope this clarifies your query.

 

Thank you,

Ray.

PCS Expert
Pulse Connect Secure Certified Expert

View solution in original post

Highlighted
New Contributor

Re: Connection closed on logs, but still receiving traffic from the IP on the FW

Thanks Ray for your explaination, Now it's clear for me.