[j-nsp] Weird SRX flow timeout issue

Julien Goodwin jgoodwin at studio442.com.au
Tue Nov 13 03:55:24 EST 2012 

On 13/11/12 00:30, Pavel Lunin wrote:
> Julien, what you talk about is an entirely different story. IIRC, SRX
> handles TCP RST differently than ScreeOS when a server closes a session.
> I don't remember all the details, but something like not passing TCP RST
> back to the user, just closing a session or something.

This was not the case, no TCP RST was involved.

As I said, we did diagnose this to the point of identifying what was
happening at the packet level, however we never did file a case, just
instructed users to use application, not TCP, keepalives.

This was all at a former job and I no longer have detailed records of
the case.

> On the user experience side it looks like a hung session in at least
> GNU/Linux clients instead an expected "connection reset by remote side".
> 
> But this has nothing to do with the original topic, which is, I would
> say, is something related to broken routing.
> 
> 13.11.2012 10:08 пользователь "Julien Goodwin"
> <jgoodwin at studio442.com.au <mailto:jgoodwin at studio442.com.au>> написал:
> 
>     On 12/11/12 16:03, Tim Eberhard wrote:
>     > Benny,
>     >
>     > I've been working with the SRX since before it was in beta loading it
>     > up on a SSG550-M and netscreen previous to that. TCP keep alives, or
>     > any tcp packet that transverses that session has ALWAYS reset the
>     > timeout. The only time where you would see this "not working" is if
>     > you had a situation of asymmetric routing or some time of crazy load
>     > balancing through firewalls.
> 
>     All I can say is that as of late 2009 on branch SRX (specifically
>     SRX650, using then-current JunOS, probably 9.5) this was not the case
>     with SSH traffic (which IIRC doesn't have an ALG).
> 
>     It wouldn't kill the session, just wouldn't extend it.
> 
> 
>     _______________________________________________
>     juniper-nsp mailing list juniper-nsp at puck.nether.net
>     <mailto:juniper-nsp at puck.nether.net>
>     https://puck.nether.net/mailman/listinfo/juniper-nsp
> 


-- 
Julien Goodwin
Studio442
"Blue Sky Solutioneering"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20121113/70aa766a/attachment-0001.sig>

More information about the juniper-nsp mailing list