[j-nsp] Monitor SRX "Invalidated Session"

Youssef Bengelloun-Zahr youssef at 720.fr
Mon Feb 29 10:52:34 EST 2016 

Here is JTAC feedback regarding this :

"As I have understood it till now, the issue is with the invalidated
sessions seen on the SRX.

Seeing some number of invalidated sessions on the SRX is a normal behavior.
Each valid session for which a FIN is received would be moved to the
invalidated sessions list and then discarded from the SRX completely.
While a new session is getting established, it would be in the invalidated
sessions list until the tcp handshake completes and then the session is
moved to the valid session list.
Hence, the number of invalidated sessions seen at a particular time on the
SRX depends on the two factors mentioned above.

Please confirm if you are referring to the following forum post :-
http://kb.juniper.net/InfoCenter/index?page=content&id=KB23462
http://forums.juniper.net/t5/SRX-Services-Gateway/What-is-the-quot-Invalidated-sessions-quot/td-p/172518

If yes, I have gone through the internal PR mentioned in that link and
reviewed it. That PR is not applicable to the version 12.3X48-D20 which is
running on the SRX."

I'm still for a feedback about which models / OS versions are affected by
this.

BR.



2016-02-29 13:33 GMT+01:00 Michael Gehrmann <mgehrmann at atlassian.com>:

> No but I strongly suggest getting in touch with JTAC and running the debug
> code. Only way forward at the moment.
>
> Mike
>
> On 29 Feb 2016, at 21:32, Youssef Bengelloun-Zahr <youssef at 720.fr> wrote:
>
> Hello Michael,
>
> Any other details you could share regarding affected platforms / junos
> versions ?
>
> BR.
>
>
>
> 2016-02-29 7:21 GMT+01:00 Michael Gehrmann <mgehrmann at atlassian.com>:
>
>> Nothing public yet.
>>
>>
>> On 29 Feb 2016, at 17:11, Youssef Bengelloun-Zahr <youssef at 720.fr> wrote:
>>
>> Hi,
>>
>> So you Have a DEFECT or PR ID for this ?
>>
>> BR.
>>
>>
>>
>> Le 28 févr. 2016 à 23:45, Michael Gehrmann <mgehrmann at atlassian.com> a
>> écrit :
>>
>> SRX650 - 12.1X46-D36
>>
>> I'm told from JTAC the issue will be present in 12.3X48 as no fix has
>> been identified yet.
>>
>> Cheers
>> Mike
>>
>> On 29 February 2016 at 09:35, Youssef Bengelloun-Zahr <youssef at 720.fr>
>> wrote:
>>
>>> Hello,
>>>
>>> Could you please both share model and running code versions ?
>>>
>>> Best regards.
>>>
>>>
>>>
>>> > Le 28 févr. 2016 à 23:27, Michael Gehrmann <mgehrmann at atlassian.com>
>>> a écrit :
>>> >
>>> > We have had the same issue on branch series. Juniper is asking us to
>>> run a
>>> > debug version of code. I suggest you contact JTAC.
>>> >
>>> > Cheers
>>> > Mike
>>> >
>>> >> On 28 February 2016 at 23:04, Florian Lohoff <f at zz.de> wrote:
>>> >>
>>> >>
>>> >> Hi,
>>> >>
>>> >> We had an incident with one node of an SRX Cluster piling up
>>> >> invalidated sessions as seen from "show security session flow summary"
>>> >>
>>> >> Now i was looking for the SNMP Mibs to monitor the number of
>>> >> invalidated sessions per node but failed to find one.
>>> >>
>>> >> JUNIPER-LSYSSP-FLOWSESS-MIB has max/current
>>> >> JUNIPER-SRX5000-SPU-MONITORING-MIB has max/current
>>> >>
>>> >> Anything else i overlooked?
>>> >>
>>> >> I could write a check which issues the cli command but seems a little
>>> >> overpriced for monitoring a single number (or 2 for both nodes)
>>> >>
>>> >> Flo
>>> >> --
>>> >> Florian Lohoff
>>> f at zz.de
>>> >>      We need to self-defend - GnuPG/PGP enable your email today!
>>> >>
>>> >> -----BEGIN PGP SIGNATURE-----
>>> >> Version: GnuPG v1.4.10 (GNU/Linux)
>>> >>
>>> >> iQIVAwUBVtLiRJDdQSDLCfIvAQpMMg/+KNyopjpO8STboIRp37qQfxK4yPbPU/pU
>>> >> s47VImyNf0ZvjnQ4gZDijHrIcPSEu7zaWdsBa4NXakmefhjlkWfRS408o7wo7Px4
>>> >> alBh5lMsNj0g9mGjsgUOZFd6deIjgz5pl5W6I9VwDSRwQv+IPZuwydmb4tPadwoK
>>> >> yCYRrZ4bjrG8Fz+lAUrKboTNgDFVZ/YQ7QxUpAfVi+tQjE6E97wP4rvA7l04JhSq
>>> >> 1XZsiwWjAd7gu3E0GbB5K8bt14NSTv1MfmPKIEj8nUb0di2RgSnfxxPDlDyfteIG
>>> >> lJ6yjiUVn8e+s+jrimtK97DzBUpk7zgtYlDCW+g+uhsDvvvjoV4wlcn3aSLrCbJ9
>>> >> vNnz7eup861p5zGOtAAU+5EN+j3KVIDnR+WCwZ2/KBG2Bd0TrNzrJfoPcX+bytiC
>>> >> jYMzw5sg56NmiFFr8W8QTacjcthYCjzn4EGMBXpSoX4R5YxJb1ti2HKK8fcGVlJr
>>> >> J4EUTEueKpJahDu5y4aT4pKj7AAM056zt3TA2yjN2VK/yDNTZR102Vu19ZU6aG0Q
>>> >> SJSv/vDnDcY7PJ0KUaEkq3eUHRjyC2ox1BiZfpnA7C8b/1udDmKx8fBZp45CDjoS
>>> >> nAaEuoH57zS1e49hPiwBg6fObDEeC6F5psvtFuIGFQl7PRUX1K0IkXGit0rz/OnP
>>> >> yyaKFIOMEYM=
>>> >> =2HMm
>>> >> -----END PGP SIGNATURE-----
>>> >>
>>> >> _______________________________________________
>>> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> >
>>> >
>>> >
>>> > --
>>> > Michael Gehrmann
>>> > Senior Network Engineer - Atlassian
>>> > m: +61 407 570 658
>>> > _______________________________________________
>>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>>
>>
>> --
>> Michael Gehrmann
>> Senior Network Engineer - Atlassian
>> m: +61 407 570 658
>>
>>
>
>
> --
> Youssef BENGELLOUN-ZAHR
>
>


-- 
Youssef BENGELLOUN-ZAHR

More information about the juniper-nsp mailing list