Symptom
FTD is not generating end of connection event after "Deleting Firewall session"
system support trace:
19-42-53.328: 192.aaa.bbb.12 37544 -> 192.aaa.ccc.12 9200 6 AS=0 ID=1 GR=1-1 Verdict: whiteli$t // after whiteli$ted no packets are been sent from Lina to Snort
19-43-10.408:
19-43-10.595:
19-47-54.634: 192.aaa.bbb.12 37544 -> 192.aaa.ccc.12 9200 6 AS=0 ID=1 GR=1-1 Deleting Firewall session // snort deleted the session after 5 min of connection timeout.
20-10-35.367: 192.aaa.bbb.12 37544 -> 192.aaa.ccc.12 9200 6 AS=0 ID=1 GR=1-1 Got end of flow event from hardware with flags 00000000 // Lina informing snort after the connection was actually closed after 27 min 48 sec
20-10-35.367: 192.aaa.bbb.12 37544 -> 192.aaa.ccc.12 9200 6 AS=0 ID=1 GR=1-1 Rule Match Data: rule_id 0, rule_action 0 rev_id 0, rule_flags 3
Lina Syslog:
:Aug 22 14:12:51 UTC: %FTD-session-6-305011: Built dynamic TCP translation from inside:192.aaa.bbb.12/37544 to outside:192.aaa.ccc.71/37544
:Aug 22 14:12:51 UTC: %FTD-session-6-302013: Built inbound TCP connection 800 for inside:192.aaa.bbb.12/37544 (192.aaa.ccc.71/37544) to outside:192.aaa.ccc.12/9200 (192.aaa.ccc.12/9200)
:Aug 22 14:40:37 UTC: %FTD-session-6-302014: Teardown TCP connection 800 for inside:192.aaa.bbb.12/37544 to outside:192.aaa.ccc.12/9200 duration 0:27:48 bytes 9891 TCP Reset-O from outside
:Aug 22 14:40:37 UTC: %FTD-session-6-305012: Teardown dynamic TCP translation from inside:192.aaa.bbb.12FTD/37544 to outside:192.aaa.ccc.71/37544 duration 0:27:48
Conditions
++ FTD Software
++ Snort deleting white-listed session as per connection timeout, while the connection is active on Lina
Further Problem Description
The issue is not seen with non white-listed connection
