[j-nsp] Cluster with two J6350: session overflow

Alexander Shikoff minotaur at crete.org.ua
Tue Apr 3 09:02:37 EDT 2012 

Hello List,

I have a strange problem with cluster of two J6350.
When there is incoming TCP connection to any service behind cluster
two session is created: one (Active) on primary node and second (Backup)
on secondary node:
{primary:node1}[edit]
minotaur at BACKUP# run show security flow session source-prefix 109.68.46.146 destination-prefix 194.247.174.36    
node0:
--------------------------------------------------------------------------

Session ID: 43853, Policy name: default-policy/2, State: Backup, Timeout: 1816, Valid
  In: 109.68.46.146/58423 --> 194.247.174.36/80;tcp, If: reth0.501, Pkts: 0, Bytes: 0
  Out: 194.247.174.36/80 --> 109.68.46.146/58423;tcp, If: reth0.609, Pkts: 0, Bytes: 0
Total sessions: 1

node1:
--------------------------------------------------------------------------

Session ID: 63289, Policy name: default-policy/2, State: Active, Timeout: 116, Valid
  In: 109.68.46.146/58423 --> 194.247.174.36/80;tcp, If: reth0.501, Pkts: 2, Bytes: 112
  Out: 194.247.174.36/80 --> 109.68.46.146/58423;tcp, If: reth0.609, Pkts: 1, Bytes: 60
Total sessions: 1


When TCP connection is closed then session from primary node is removed, but
one on secondary node remains:
{primary:node1}[edit]
minotaur at BACKUP# run show security flow session source-prefix 109.68.46.146 destination-prefix 194.247.174.36
node0:
--------------------------------------------------------------------------

Session ID: 43853, Policy name: default-policy/2, State: Backup, Timeout: 36, Valid
  In: 109.68.46.146/58423 --> 194.247.174.36/80;tcp, If: reth0.501, Pkts: 0, Bytes: 0
  Out: 194.247.174.36/80 --> 109.68.46.146/58423;tcp, If: reth0.609, Pkts: 0, Bytes: 0
Total sessions: 1

node1:
--------------------------------------------------------------------------
Total sessions: 0


Thus with high number of incoming connections I get fast session table overflow
on secondary node:
{primary:node1}[edit]
minotaur at BACKUP# run show security flow session summary                                                          
node0:
--------------------------------------------------------------------------
Unicast-sessions: 246572
Multicast-sessions: 0
Failed-sessions: 384359280
Sessions-in-use: 255049
  Valid sessions: 249838
  Pending sessions: 0
  Invalidated sessions: 10560
  Sessions in other states: 0
Maximum-sessions: 262144

node1:
--------------------------------------------------------------------------
Unicast-sessions: 80512
Multicast-sessions: 0
Failed-sessions: 60631844
Sessions-in-use: 91853
  Valid sessions: 76154
  Pending sessions: 0
  Invalidated sessions: 9677
  Sessions in other states: 0
Maximum-sessions: 262144


Is there a way to change configuration in order to remove Backup sessions
together with Active ones? Thanks in advance!

-- 
MINO-RIPE

More information about the juniper-nsp mailing list