[j-nsp] Weird SRX flow timeout issue
Phil Mayers
p.mayers at imperial.ac.uk
Mon Nov 12 16:08:17 EST 2012
On 11/12/2012 08:34 PM, Tim Eberhard wrote:
> The SRX's behavior is if any packet passes over that session to reset
> the timeout on that session, keep alive, data packet, whatever. As
> long as it matches that session it will reset the timeout to the
> default value and start decrementing again. So I'm not sure what you
> mean when it says dropping tcp sessions with active TCP keepalives.
>
It might be worth noting that, on some systems, the wait before
keepalives start being sent is quite long.
For example, it's 7200 seconds of inactivity on Linux, which is probably
too long; the firewall will have expired the session before they start
probing.
OTOH, maybe he's found / is describing a bug.
More information about the juniper-nsp
mailing list