[j-nsp] Monitor SRX "Invalidated Session"
youssef at 720.fr
Tue Mar 1 04:11:42 EST 2016
JTAC point me to this PR :
This ressembles a lot to our environment (cluster + LSYS) but we are not
affected as we are running 12.3X48-D20.
2016-02-29 23:35 GMT+01:00 Michael Gehrmann <mgehrmann at atlassian.com>:
> Invalidated sessions are norma but it's not normal to have an increasing
> number of invalidated sessions which then prevent the box from passing
> traffic. This is our experience which has happened twice in 3 months. We
> saw a ramp up of invalidated sessions which peaked and then stopped all
> traffic until a reboot was actioned.
> On 1 March 2016 at 06:34, Florian Lohoff <f at zz.de> wrote:
>> On Mon, Feb 29, 2016 at 04:52:34PM +0100, Youssef Bengelloun-Zahr wrote:
>> > Here is JTAC feedback regarding this :
>> > "As I have understood it till now, the issue is with the invalidated
>> > sessions seen on the SRX.
>> > Seeing some number of invalidated sessions on the SRX is a normal
>> > Each valid session for which a FIN is received would be moved to the
>> > invalidated sessions list and then discarded from the SRX completely.
>> > While a new session is getting established, it would be in the
>> > sessions list until the tcp handshake completes and then the session is
>> > moved to the valid session list.
>> > Hence, the number of invalidated sessions seen at a particular time on
>> > SRX depends on the two factors mentioned above.
>> > Please confirm if you are referring to the following forum post :-
>> > http://kb.juniper.net/InfoCenter/index?page=content&id=KB23462
>> > If yes, I have gone through the internal PR mentioned in that link and
>> > reviewed it. That PR is not applicable to the version 12.3X48-D20 which
>> > running on the SRX."
>> > I'm still for a feedback about which models / OS versions are affected
>> > this.
>> I had ~50k active Sessions on both - Node0 hat ~5k Invalidated
>> and node1 had 250k Invalidated sessions - Halve of the available 500k
>> max. After a reboot node1 is down to ~5k Invalidated sessions again.
>> So - Yes - Invalidated sessions are normal and appear - but i dont
>> think half of the max sessions are right.
>> I found the invalidated sessions because we had reachability issues
>> when node0 spiked to ~240k Active Sessions and would not setup more
>> active sessions. My interpretation what that it wouldnt allow new
>> sessions because node0 active + node1 invalidated sessions were
>> near max sessions.
>> This is why i was initially asking for monitoring of invalidated
>> sessions as they over time piled up on one of the nodes.
>> Florian Lohoff f at zz.de
>> We need to self-defend - GnuPG/PGP enable your email today!
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (GNU/Linux)
>> -----END PGP SIGNATURE-----
> Michael Gehrmann
> Senior Network Engineer - Atlassian
> m: +61 407 570 658
More information about the juniper-nsp