[j-nsp] Weird SRX flow timeout issue

Tim Eberhard xmin0s at gmail.com
Mon Nov 12 19:03:47 EST 2012 

Benny,

I've been working with the SRX since before it was in beta loading it
up on a SSG550-M and netscreen previous to that. TCP keep alives, or
any tcp packet that transverses that session has ALWAYS reset the
timeout. The only time where you would see this "not working" is if
you had a situation of asymmetric routing or some time of crazy load
balancing through firewalls.

This is a basic system function, and yes, tcp-syn-checking has
everything to do with the session timeout problem. With
tcp-syn-checking ANY data packet (keepalive, syn, ack, or a normal
data packet) can create a new session, or in this case reestablish an
existing connection.

Just so it's crystal clear here..

If you have syn checking on:
You open up a connection.
Connection times out
All additional data meant for that specific session is dropped and a
reset is sent in an attempt to reinitiate the connection (assuming
tcp-rst is configured). The 3 way hand shake MUST take place for a new
session to be created.

If you have syn checking off:
You open up a connection.
Connection times out
The moment any data packet comes that is allowed by security policy a
session is created.

I hope this clears things up. If you still doubt this feel free to
reference juniper's documentation.
http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-44055.html

-Tim Eberhard

On Mon, Nov 12, 2012 at 3:25 PM, Benny Amorsen <benny+usenet at amorsen.dk> wrote:
> Tim Eberhard <xmin0s at gmail.com> writes:
>
>> The SRX's behavior is if any packet passes over that session to reset
>> the timeout on that session, keep alive, data packet, whatever. As
>> long as it matches that session it will reset the timeout to the
>> default value and start decrementing again. So I'm not sure what you
>> mean when it says dropping tcp sessions with active TCP keepalives.
>
> I proposed using TCP keepalives to keep sessions alive. Julien Goodwin
> informed me that this did not work on the SRX, as of a few years ago.
>
> If that is fixed, all is well.
>
> None of which has anything to do with tcp-syn-checking.
>
>
> /Benny

More information about the juniper-nsp mailing list