Two SCTP endpoints (servers) have an SCTP association between them (rather than a TCP connection) and the SCTP service reliably transfers user messages between the peers. An association has an association ID and includes multiple streams (unidirectional logical channels).

An upper-layer SCTP protocol (such as Diameter, for example) initiates an SCTP association, which starts a four-way handshake. The client (initiator) sends an SCTP packet with an INIT chunk which provides the server with a list of the IP addresses through which the client can be reached, a verification tag that must appear in every packet the client sends in this association (validating the sender), the number of outbound streams the client is requesting, the number of inbound streams it can support, and an initial transmission sequence number.

The server replies with an INIT-ACK chunk containing its own list of IP addresses, initial sequence number, verification tag (that must appear in every packet it sends for this association), the number of outbound streams the server is requesting, the number of inbound streams it can support, and a state cookie that ensures the association is valid. The client then replies with a COOKIE-ECHO chunk and the server validates the cookie and replies with a COOKIE-ACK chunk. The COOKIE-ECHO and COOKIE-ACK messages can include user data (chunks) for more efficiency.

When you Configure SCTP Security, you can set an SCTP INIT timeout to control the maximum length of time after receiving an INIT chunk before the firewall receives the INIT-ACK chunk. If that time is exceeded, then the firewall stops the association initiation. You can also configure an SCTP COOKIE timeout to control the maximum length of time after receiving an INIT-ACK chunk with the STATE COOKIE before the firewall receives the COOKIE-ECHO chunk; if that time is exceeded, that also causes the firewall to stop the association initiation.

You can also leverage the following SCTP timeouts as needed:

SCTP timeout—Maximum length of time that can elapse without SCTP traffic on an association before the firewall closes the association.

Discard SCTP timeout—Maximum length of time that an SCTP association remains open after the firewall denies the session based on Security policy rules.

SCTP Shutdown timeout—Maximum length of time that the firewall waits after a SHUTDOWN chunk to receive a SHUTDOWN-ACK chunk before the firewall disregards the SHUTDOWN chunk.

An established SCTP association ends in one of three ways: when an endpoint sends a SHUTDOWN chunk to gracefully end the association with its peer and receives a SHUTDOWN-ACK; when an endpoint sends an ABORT chunk with or without cause parameters to close the association; or when an SCTP timeout occurs. When any of these events occur, the firewall brings down all SCTP sessions for that association.