[j-nsp] Monitor SRX "Invalidated Session"

Michael Gehrmann mgehrmann at atlassian.com
Mon Feb 29 17:35:01 EST 2016


Invalidated sessions are norma but it's not normal to have an increasing
number of invalidated sessions which then prevent the box from passing
traffic. This is our experience which has happened twice in 3 months. We
saw a ramp up of invalidated sessions which peaked and then stopped all
traffic until a reboot was actioned.

Mike

On 1 March 2016 at 06:34, Florian Lohoff <f at zz.de> wrote:

> On Mon, Feb 29, 2016 at 04:52:34PM +0100, Youssef Bengelloun-Zahr wrote:
> > Here is JTAC feedback regarding this :
> >
> > "As I have understood it till now, the issue is with the invalidated
> > sessions seen on the SRX.
> >
> > Seeing some number of invalidated sessions on the SRX is a normal
> behavior.
> > Each valid session for which a FIN is received would be moved to the
> > invalidated sessions list and then discarded from the SRX completely.
> > While a new session is getting established, it would be in the
> invalidated
> > sessions list until the tcp handshake completes and then the session is
> > moved to the valid session list.
> > Hence, the number of invalidated sessions seen at a particular time on
> the
> > SRX depends on the two factors mentioned above.
> >
> > Please confirm if you are referring to the following forum post :-
> > http://kb.juniper.net/InfoCenter/index?page=content&id=KB23462
> >
> http://forums.juniper.net/t5/SRX-Services-Gateway/What-is-the-quot-Invalidated-sessions-quot/td-p/172518
> >
> > If yes, I have gone through the internal PR mentioned in that link and
> > reviewed it. That PR is not applicable to the version 12.3X48-D20 which
> is
> > running on the SRX."
> >
> > I'm still for a feedback about which models / OS versions are affected by
> > this.
>
> I had ~50k active Sessions on both - Node0 hat ~5k Invalidated
> and node1 had 250k Invalidated sessions - Halve of the available 500k
> max. After a reboot node1 is down to ~5k Invalidated sessions again.
>
> So - Yes - Invalidated sessions are normal and appear - but i dont
> think half of the max sessions are right.
>
> I found the invalidated sessions because we had reachability issues
> when node0 spiked to ~240k Active Sessions and would not setup more
> active sessions. My interpretation what that it wouldnt allow new
> sessions because node0 active + node1 invalidated sessions were
> near max sessions.
>
> This is why i was initially asking for monitoring of invalidated
> sessions as they over time piled up on one of the nodes.
>
> Flo
> --
> Florian Lohoff                                                 f at zz.de
>       We need to self-defend - GnuPG/PGP enable your email today!
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQIVAwUBVtSdR5DdQSDLCfIvAQooiA/+OzXjP/+1ka/YQseHwUK2eYuX/1udzHkl
> Pa/qW8wraw3mrfZ20J7h3yu+ESY1MB0mSqL8otmqG/2hvToK15sl/GW9WFVihlgg
> pxM8/yNhVVCJ94ybBjknpcghIki/ywoH8z1IFQ+/DAipD5rMgYlU55A7ozxtSXiZ
> YQ47NYud2HVfkRIiYS9Hg3lhVTeXUGdR1UpmhYTSlkidMwsYh9JHEgY00Zxb53j+
> Bu/ORUppsaeeIvUJ8qhMK9Wm47ZsNwShPRWoHi1nZ0NYrLBQj3KqLXP0w+a8zsIQ
> aduF+ZvivduC+fAHLFAoERp4YCJu8l2LW7gWlO9euC8rSThbphGOSf93kOXvZ0/X
> FCogcBU5/uAQRMLmz1wcJX/ztUCRcYF4qLzvyQPhfkYzbyqWNJeymJP6Rzt0iDyE
> MkwilgIO3+DhSlSMTXt0+0t+mTxjrl7rhppC5ESNA2dzHzxiNpbgHDviXnKB5/V8
> 52PqnPaoIQlEWTZnVvRqsGvKhUgCPQqpMHAvxMJKNogM/ChX0OCN+49zxf+t5L9t
> K+a05ZghLlBXbkW3dDszgrWBxJXiiJwNPsH1sWdDswvzGTJPPzIiuEKrnHLS2aLs
> 77nax+ODN7Al+dKeWih7EW0pRBJ2KUgO31LE2wb+CXKTWZnm5cTUXtSzZD8s6liQ
> KUI0Q5LQG3g=
> =kOzD
> -----END PGP SIGNATURE-----
>
>


-- 
Michael Gehrmann
Senior Network Engineer - Atlassian
m: +61 407 570 658


More information about the juniper-nsp mailing list