Why are Incomplete Sessions Observed for TCP Port 3978 for Panorama Connection?
30218
Created On 04/29/19 23:55 PM - Last Modified 04/30/19 17:11 PM
Question
Why are incomplete sessions observed for TCP port 3978 used for Panorama connection when there is already an active Panorama session?
Firewall connects to Panorama using a dataplane interface. In addition to an active Panorama session, there are incomplete sessions recorded in traffic logs from different source ports every ~60 seconds as shown below.
The session output from CLI: (Session ID 3 is the active Panorama session. Session ID 4490 is the undecided or incomplete session to Panorama port 3978).
admin@Lab> show session all filter source 10.10.10.12 destination-port 3978 -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 3 panorama ACTIVE FLOW 10.10.10.12[43958]/L3-Trust/6 (10.10.10.12[43958]) vsys1 10.10.10.224[3978]/L3-Trust (10.10.10.224[3978]) 4490 undecided ACTIVE FLOW 10.10.10.12[54089]/L3-Trust/6 (10.10.10.12[54089]) vsys1 10.10.10.224[3978]/L3-Trust (10.10.10.224[3978])
Answer
This is an expected behavior.
Reason for "Incomplete" TCP session over TCP port 3978
The log collection service agent on the firewall opens a separate TCP connection to all the log collectors in the log collector preference list in order to detect any log collector failures quickly. The firewall does this by initiating a TCP 3-way handshake to the log collector over TCP port 3978. The TCP connection opened by the firewall to the log collector is torn down every 60 seconds. There is no actual data packet sent over this connection after the TCP 3-way handshake. Hence the reason for the "incomplete" sessions observed in traffic logs or "undecided" sessions observed in CLI that are harmless.
The goal is for the firewall to have an accurate view of the log collectors that are available in the log collector preference list in order for the firewall to switch over should the communication to the currently connected log collector fail for some reason.
Additional Information
Background Information
If Panorama is configured as a log collector and is part of a log collector group where managed firewalls are added to the log collector group, then there will be a log collector preference list pushed to the managed firewall in order for the firewall to prioritize the list of log collectors to which it can forward logs.
For example, a managed firewall has the following log collector preference list where 10.10.10.224 is the Panorama log collector to which the firewall forwards logs.
admin@Lab> show log-collector preference-list Forward to all: No Log collector Preference List Serial Number: 009201002984 IP Address: 10.10.10.224 IPV6 Address: unknown
There can be more than one log collector on the preference list.