[j-nsp] Weird SRX flow timeout issue

James S. Smith JSmith at WindMobile.ca
Mon Nov 12 06:55:04 EST 2012


Might not be an issue, but have you turned off the ALG for SQL?  We've found that most of the Juniper ALGs cause a lot of problems in general and it's better to just turn them off, especially for long running queries.  You'll never see anything in the logs, even if it's the cause of your problems.



----- Original Message -----
From: Andrew Yager [mailto:andrew at rwts.com.au]
Sent: Monday, November 12, 2012 06:50 AM
To: juniper-nsp at puck.nether.net <juniper-nsp at puck.nether.net>
Subject: [j-nsp] Weird SRX flow timeout issue

Hi,

We're working with a client on a strange issue with an SRX.

The client has a Postgres application that regularly runs long queries across a route-based IPSEC VPN connection (taking several hours to return a result).

By default the SRX closes the flow after 30 minutes (1800 seconds) as there is no activity on the wire during this time.

We created a custom application object and applied it to the VPN ruleset, and after one hour it closes all sessions that match the application object, and any new flows are created with a 20 second flow-timeout, completely ignoring the timeout rule on the application definition until a reboot.

e.g. default behaviour:

>show security flow session destination-port 5432    
Session ID: 1047, Policy name: vpn-usa2-out-postgres/7, Timeout: 1800, Valid
  In: 10.2.2.5/49354 --> 192.168.2.10/5432;tcp, If: vlan.3, Pkts: 1370, Bytes: 91835
  Out: 192.168.2.10/5432 --> 10.2.2.5/49354;tcp, If: ge-0/0/15.0, Pkts: 2518, Bytes: 3441234
Total sessions: 1

working for the first hour:

Session ID: 27259, Policy name: vpn-usa2-out-postgres/7, Timeout: 40000, Valid
  In: 10.2.2.5/49227 --> 192.168.2.10/5432;tcp, If: vlan.3, Pkts: 2, Bytes: 120
  Out: 192.168.2.10/5432 --> 10.2.2.5/49227;tcp, If: ge-0/0/15.0, Pkts: 0, Bytes: 0
Total sessions: 1

after the first hour (on a brand new session)

Session ID: 29151, Policy name: vpn-usa2-out-postgres/7, Timeout: 20, Valid
  In: 10.2.2.5/49214 --> 192.168.2.10/5432;tcp, If: vlan.3, Pkts: 3, Bytes: 180
  Out: 192.168.2.10/5432 --> 10.2.2.5/49214;tcp, If: ge-0/0/15.0, Pkts: 0, Bytes: 0
Total sessions: 1

All subsequent sessions are crated with a 20 second timeout.

Config snippets:

[applications]
application postgres {
    protocol tcp;
    destination-port 5432;
}

[security policies from-zone untrust to-zone trust]
policy vpn-usa-in-postgres {
    match {
        source-address US1;
        destination-address Local;
        application postgres;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn USA;
                pair-policy vpn-usa-out-postgres;
            }
        }
    }
}

(and corresponding pair-policy).

Any thoughts on whether this is a JunOS bug or config error?

Thanks,
Andrew


--
Andrew Yager, Managing Director   (MACS Snr CP BCompSc MCP MCE JNCIA-Junos)
Real World Technology Solutions Pty Ltd  - IT people you can trust
ph: 1300 798 718 or (02) 9037 0500
fax: (02) 9037 0591 mob: 0405 152 568
http://www.rwts.com.au/







_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list