[j-nsp] J series users bitten by the massive memory useincrease with flow mode add, please file jtac cases.
Chris Whyte
cwhyte at juniper.net
Fri Jul 23 13:44:02 EDT 2010
>>> 3. The issues raised below (I didn't realize this myself ) about sessions
>>> destined to the router still being processed as flow mode,
>>> down TCP sessions under certain circumstances.
>>>
>>>
>> Does anyone have a proof link for this?
>>
>This is based on:
> Make sure to configure host-bound TCP traffic to use flow-based
> forwarding‹exclude this traffic when specifying match conditions for
> the firewall filter term containing the packet-mode action
> modifier. Any host-bound TCP traffic configured to bypass flow is
dropped.
> <http://www.juniper.net/techpubs/software/junos-security/junos-secur
> ity10.0/junos-security-admin-guide/config-stateless-packet-option-section.html
There seems to be some confusion here. Bypassing the flow module (ie using
filter-based packet mode) is not the same as disabling the flow module. When
you set the router in packet-based mode for v4, mpls, v6 or iso the whole
security section becomes null and void.
So, the above is not true when the router is in packet mode only. I believe
Pavel provided strong evidence of this too.
Thanks, Chris
More information about the juniper-nsp
mailing list