[j-nsp] Monitor SRX "Invalidated Session"

Florian Lohoff f at zz.de
Mon Feb 29 14:34:31 EST 2016


On Mon, Feb 29, 2016 at 04:52:34PM +0100, Youssef Bengelloun-Zahr wrote:
> Here is JTAC feedback regarding this :
> 
> "As I have understood it till now, the issue is with the invalidated
> sessions seen on the SRX.
> 
> Seeing some number of invalidated sessions on the SRX is a normal behavior.
> Each valid session for which a FIN is received would be moved to the
> invalidated sessions list and then discarded from the SRX completely.
> While a new session is getting established, it would be in the invalidated
> sessions list until the tcp handshake completes and then the session is
> moved to the valid session list.
> Hence, the number of invalidated sessions seen at a particular time on the
> SRX depends on the two factors mentioned above.
> 
> Please confirm if you are referring to the following forum post :-
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB23462
> http://forums.juniper.net/t5/SRX-Services-Gateway/What-is-the-quot-Invalidated-sessions-quot/td-p/172518
> 
> If yes, I have gone through the internal PR mentioned in that link and
> reviewed it. That PR is not applicable to the version 12.3X48-D20 which is
> running on the SRX."
> 
> I'm still for a feedback about which models / OS versions are affected by
> this.

I had ~50k active Sessions on both - Node0 hat ~5k Invalidated
and node1 had 250k Invalidated sessions - Halve of the available 500k
max. After a reboot node1 is down to ~5k Invalidated sessions again.

So - Yes - Invalidated sessions are normal and appear - but i dont
think half of the max sessions are right.

I found the invalidated sessions because we had reachability issues
when node0 spiked to ~240k Active Sessions and would not setup more
active sessions. My interpretation what that it wouldnt allow new
sessions because node0 active + node1 invalidated sessions were
near max sessions.

This is why i was initially asking for monitoring of invalidated
sessions as they over time piled up on one of the nodes.

Flo
-- 
Florian Lohoff                                                 f at zz.de
      We need to self-defend - GnuPG/PGP enable your email today!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20160229/65407650/attachment.sig>


More information about the juniper-nsp mailing list