[j-nsp] J series users bitten by the massive memory useincrease with flow mode add, please file jtac cases.
Pavel Lunin
plunin at senetsy.ru
Thu Jul 22 16:36:23 EDT 2010
> 3. The issues raised below (I didn't realize this myself ) about sessions
> destined to the router still being processed as flow mode, which can tear
> down TCP sessions under certain circumstances.
>
>
Does anyone have a proof link for this? I've just checked a J series running
10.0R2 packet-mode and see
plunin at router> show security flow session summary
Session summary:
Unicast-sessions: 0
Multicast-sessions: 0
Failed-sessions: 0
Sessions-in-use: 0
Maximum-sessions: 262144
plunin at router> show security flow session
0 sessions displayed
Despite I'm SSH on it and it holds several BGP sessions. When J/SRX is in
normal (flow) mode it shows the sessions to itself.
Morover this would be cool if we could use per security zone stateful
settings for host-inbound-traffic instead of classic packet-based
unidirectional filters (stuff everyone hates to do) in order to protect
control plane in packet mode. Although it seems to me that it is not
possible.
--
Pavel
More information about the juniper-nsp
mailing list