[j-nsp] J series users bitten by the massive memory useincrease with flow mode add, please file jtac cases.

Pavel Lunin plunin at senetsy.ru
Thu Jul 22 16:36:23 EDT 2010


> 3. The issues raised below (I didn't realize this myself ) about sessions
> destined to the router still being processed as flow mode, which can tear
> down TCP sessions under certain circumstances.
>
>
Does anyone have a proof link for this? I've just checked a J series running
10.0R2 packet-mode and see

plunin at router> show security flow session summary
Session summary:
  Unicast-sessions: 0
  Multicast-sessions: 0
  Failed-sessions: 0
  Sessions-in-use: 0
  Maximum-sessions: 262144

plunin at router> show security flow session
0 sessions displayed

Despite I'm SSH on it and it holds several BGP sessions. When J/SRX is in
normal (flow) mode it shows the sessions to itself.

Morover this would be cool if we could use per security zone stateful
settings for host-inbound-traffic instead of classic packet-based
unidirectional filters (stuff everyone hates to do) in order to protect
control plane in packet mode. Although it seems to me that it is not
possible.

--
Pavel


More information about the juniper-nsp mailing list