[j-nsp] Weird SRX flow timeout issue
Pavel Lunin
plunin at senetsy.ru
Mon Nov 12 12:09:28 EST 2012
12.11.2012 15:55, James S. Smith пишет:
> after the first hour (on a brand new session)
>
> Session ID: 29151, Policy name: vpn-usa2-out-postgres/7, Timeout: 20, Valid
> In: 10.2.2.5/49214 --> 192.168.2.10/5432;tcp, If: vlan.3, Pkts: 3, Bytes: 180
> Out: 192.168.2.10/5432 --> 10.2.2.5/49214;tcp, If: ge-0/0/15.0, Pkts: 0, Bytes: 0
> Total sessions: 1
>
> All subsequent sessions are crated with a 20 second timeout.
The session has not been really created yet. What you see here is an
incomplete session, which never received a SYN-ACK reply from the
server. See "Pkts: 0, Bytes: 0" for the reverse wing. SRX sets 20 sec
timeout for such a state and it's OK.
The question is why you don't get replies from the server and which
relation its appearance has to the SRX reboot (if any). First try to
understand whether packets of "subsequent" sessions ever reach the
server (if now, do they really leave the SRX's interface), then where
the server's replies go, etc.
More information about the juniper-nsp
mailing list