Hello All,
Does message NWC30993 which is "Closed connection to x.x.x.x after 734 seconds, with 2783959 bytes read and 3070219 bytes written" really means that the connection is closed ?
As I can see in some cases the same IP with the closed session still sending traffic on the FW for more than 10 mins after this log and no any logs for new session on the pulse secure about it.
I even doubled checked that no other user is using the same ip.
And in another situation I was filtering on my user account on pulse secure logs and I found the below logs, after I closed the connection at 17:01 I can see another log session timed out after about 35 mins, So how come the session timed out after it has been closed ?
Info | AUT22886 | 2020-04-09 17:36:34 - xxx- Session timed out for xx(session:00000000) due to inactivity (last access at 17:01:03 2020/04/09). Idle session identified during routine system scan. |
Info | NWC30993 | 2020-04-09 17:01:03 - xxx- Closed connection to x.x.x.x after 644 seconds, with 289925 bytes read and 1309713 bytes written |
Solved! Go to Solution.
@Maarouf That's a good question. Normally, VPN server is capable of having two type of sessions i.e. a plain user session (one you will see after successful authentication) and a tunnel session (after assigning tunnel IP address). Tricky thing is that the Pulse Client is capable of different disconnect messages at different situations,
Disconnect with logoff i.e. complete tear down - Which tells the VPN server to close both user session and tunnel session.
Disconnect without logoff i.e. partial tear down - Which tells the VPN server to keep the user session but close the tunnel session i.e. remove the IP address assignment but keep the session active. This behavior would be seen if the Pulse Client disconnects the session based on predefined conditions like Location awareness rules.
In your case, session timeout was happened for the user session but the actual tunnel session was closed prior to that. Hope this clarifies your query.
Thank you,
Ray.
@Maarouf That's a good question. Normally, VPN server is capable of having two type of sessions i.e. a plain user session (one you will see after successful authentication) and a tunnel session (after assigning tunnel IP address). Tricky thing is that the Pulse Client is capable of different disconnect messages at different situations,
Disconnect with logoff i.e. complete tear down - Which tells the VPN server to close both user session and tunnel session.
Disconnect without logoff i.e. partial tear down - Which tells the VPN server to keep the user session but close the tunnel session i.e. remove the IP address assignment but keep the session active. This behavior would be seen if the Pulse Client disconnects the session based on predefined conditions like Location awareness rules.
In your case, session timeout was happened for the user session but the actual tunnel session was closed prior to that. Hope this clarifies your query.
Thank you,
Ray.
Thanks Ray for your explaination, Now it's clear for me.