[j-nsp] Weird SRX flow timeout issue

Andrew Yager andrew at rwts.com.au
Mon Nov 12 06:50:49 EST 2012 

Hi,

We're working with a client on a strange issue with an SRX.

The client has a Postgres application that regularly runs long queries across a route-based IPSEC VPN connection (taking several hours to return a result).

By default the SRX closes the flow after 30 minutes (1800 seconds) as there is no activity on the wire during this time.

We created a custom application object and applied it to the VPN ruleset, and after one hour it closes all sessions that match the application object, and any new flows are created with a 20 second flow-timeout, completely ignoring the timeout rule on the application definition until a reboot.

e.g. default behaviour:

>show security flow session destination-port 5432    
Session ID: 1047, Policy name: vpn-usa2-out-postgres/7, Timeout: 1800, Valid
  In: 10.2.2.5/49354 --> 192.168.2.10/5432;tcp, If: vlan.3, Pkts: 1370, Bytes: 91835
  Out: 192.168.2.10/5432 --> 10.2.2.5/49354;tcp, If: ge-0/0/15.0, Pkts: 2518, Bytes: 3441234
Total sessions: 1

working for the first hour:

Session ID: 27259, Policy name: vpn-usa2-out-postgres/7, Timeout: 40000, Valid
  In: 10.2.2.5/49227 --> 192.168.2.10/5432;tcp, If: vlan.3, Pkts: 2, Bytes: 120
  Out: 192.168.2.10/5432 --> 10.2.2.5/49227;tcp, If: ge-0/0/15.0, Pkts: 0, Bytes: 0
Total sessions: 1

after the first hour (on a brand new session)

Session ID: 29151, Policy name: vpn-usa2-out-postgres/7, Timeout: 20, Valid
  In: 10.2.2.5/49214 --> 192.168.2.10/5432;tcp, If: vlan.3, Pkts: 3, Bytes: 180
  Out: 192.168.2.10/5432 --> 10.2.2.5/49214;tcp, If: ge-0/0/15.0, Pkts: 0, Bytes: 0
Total sessions: 1

All subsequent sessions are crated with a 20 second timeout.

Config snippets:

[applications]
application postgres {
    protocol tcp;
    destination-port 5432;
}

[security policies from-zone untrust to-zone trust]
policy vpn-usa-in-postgres {
    match {
        source-address US1;
        destination-address Local;
        application postgres;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn USA;
                pair-policy vpn-usa-out-postgres;
            }
        }
    }
}

(and corresponding pair-policy).

Any thoughts on whether this is a JunOS bug or config error?

Thanks,
Andrew


--
Andrew Yager, Managing Director   (MACS Snr CP BCompSc MCP MCE JNCIA-Junos)
Real World Technology Solutions Pty Ltd  - IT people you can trust
ph: 1300 798 718 or (02) 9037 0500
fax: (02) 9037 0591 mob: 0405 152 568
http://www.rwts.com.au/

More information about the juniper-nsp mailing list