[j-nsp] J series users bitten by the massive memory useincrease with flow mode add, please file jtac cases.

Florian Weimer fweimer at bfk.de
Fri Jul 23 04:58:17 EDT 2010


* Pavel Lunin:

>> 3. The issues raised below (I didn't realize this myself ) about sessions
>> destined to the router still being processed as flow mode, which can tear
>> down TCP sessions under certain circumstances.
>>
>>
> Does anyone have a proof link for this?

This is based on:

> Make sure to configure host-bound TCP traffic to use flow-based
> forwarding—exclude this traffic when specifying match conditions for
> the firewall filter term containing the packet-mode action
> modifier. Any host-bound TCP traffic configured to bypass flow is
> dropped.

<http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-admin-guide/config-stateless-packet-option-section.html>

We tried to enable MPLS (which is not really advertised as a way to
disable flow-based processing, BTW), but the device still couldn't
forward our tiny amount of traffic we deal with.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99



More information about the juniper-nsp mailing list