[j-nsp] Weird SRX flow timeout issue
Benny Amorsen
benny+usenet at amorsen.dk
Mon Nov 12 09:37:36 EST 2012
Andrew Yager <andrew at rwts.com.au> writes:
> By default the SRX closes the flow after 30 minutes (1800 seconds) as there is no activity on the wire during this time.
I have no SRX firewalls, so I cannot help you with your actual problem,
but I can provide an ugly workaround...
If you play with
tcp_keepalives_count
tcp_keepalives_idle
tcp_keepalives_interval
in postgresql.conf, you can get Postgres to send TCP keepalive every so
often. That should keep the session open.
30 minutes is IMHO a very low timeout for TCP sessions. Personally I set
session timeout to 86400 for TCP on the firewalls that I control. If the
number of sessions is becoming too large, a session timeout of 30
minutes is unlikely to help anyway, and TCP sessions tend to close
properly with a FIN instead of by timer.
/Benny
More information about the juniper-nsp
mailing list