Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

fin-invalidate-session

Syntax

Hierarchy Level

Description

Invalidates a TCP session after the 4-way or 3-way handshake completes, with each session endpoint signalling conclusion of the session independently. New incoming SYN packets will need to establish a new TCP session.

When either session endpoint wants to terminate the session, it sends a FIN(ish) message. When the other session endpoint receives the packet with the FIN flag set, it sends an ACK(nowlege) message. Typically, tearing down a session involves transmission of a pair of FIN-ACK messages from each session endpoint.

After the side that sent the first FIN responds with the final ACK, it waits for a time-out period to expire before closing the connection. During the time-out period, the local port cannot be used for new connections. The time-out period protects against delayed packets from the terminating session being delivered during subsequent connections.

Note:

On SRX Series devices with fin-invalidate-session configured the invalidation of the session occurs immediately whereas without fin-invalidate-session configured the session is set to time out 2 seconds after the 4-way or 3-way handshake completes.

Table 1 shows the sequence of packets for a 4-way handshake to terminate a session. In this case, the client signals the server that it is terminating the session. The server responds with an ACK message signaling acknowledgement of the client’s FIN message. The ACK is followed immediately by a FIN message that the server sends to the client, signaling that it is terminating the session connection on its end. Finally, the client sends an ACK message to the server signalling that it received the server’s FIN message.

Table 1: Terminating a Session with a 4-Way Handshake

Step

Client

Server

1.

FIN

2.

ACK

3.

FIN

  • Sets session timer to 150 seconds.

4.

ACK

  • Sets session timer to 2 seconds.

A session can be terminated by a 3-way handshake. In this case, the client sends a FIN message to the server. The server responds with message that combines the FIN and ACK messages. The sequence of packet exchange for a three-way handshake session close is as follows:

Step

Client

Server

1.

FIN

2.

FIN/ ACK

  • sets session timer to 150 seconds

3.

ACK

  • sets session timer to 2 seconds

Required Privilege Level

security—To view this in the configuration.

security-control—To add this to the configuration.

Release Information

Statement introduced in Junos OS Release 10.4 R13.