[j-nsp] Monitor SRX "Invalidated Session"

Youssef Bengelloun-Zahr youssef at 720.fr
Tue Mar 1 04:11:42 EST 2016


Hi,

JTAC point me to this PR :
https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1061067

This ressembles a lot to our environment (cluster + LSYS) but we are not
affected as we are running 12.3X48-D20.

HTH.



2016-02-29 23:35 GMT+01:00 Michael Gehrmann <mgehrmann at atlassian.com>:

> Invalidated sessions are norma but it's not normal to have an increasing
> number of invalidated sessions which then prevent the box from passing
> traffic. This is our experience which has happened twice in 3 months. We
> saw a ramp up of invalidated sessions which peaked and then stopped all
> traffic until a reboot was actioned.
>
> Mike
>
> On 1 March 2016 at 06:34, Florian Lohoff <f at zz.de> wrote:
>
>> On Mon, Feb 29, 2016 at 04:52:34PM +0100, Youssef Bengelloun-Zahr wrote:
>> > Here is JTAC feedback regarding this :
>> >
>> > "As I have understood it till now, the issue is with the invalidated
>> > sessions seen on the SRX.
>> >
>> > Seeing some number of invalidated sessions on the SRX is a normal
>> behavior.
>> > Each valid session for which a FIN is received would be moved to the
>> > invalidated sessions list and then discarded from the SRX completely.
>> > While a new session is getting established, it would be in the
>> invalidated
>> > sessions list until the tcp handshake completes and then the session is
>> > moved to the valid session list.
>> > Hence, the number of invalidated sessions seen at a particular time on
>> the
>> > SRX depends on the two factors mentioned above.
>> >
>> > Please confirm if you are referring to the following forum post :-
>> > http://kb.juniper.net/InfoCenter/index?page=content&id=KB23462
>> >
>> http://forums.juniper.net/t5/SRX-Services-Gateway/What-is-the-quot-Invalidated-sessions-quot/td-p/172518
>> >
>> > If yes, I have gone through the internal PR mentioned in that link and
>> > reviewed it. That PR is not applicable to the version 12.3X48-D20 which
>> is
>> > running on the SRX."
>> >
>> > I'm still for a feedback about which models / OS versions are affected
>> by
>> > this.
>>
>> I had ~50k active Sessions on both - Node0 hat ~5k Invalidated
>> and node1 had 250k Invalidated sessions - Halve of the available 500k
>> max. After a reboot node1 is down to ~5k Invalidated sessions again.
>>
>> So - Yes - Invalidated sessions are normal and appear - but i dont
>> think half of the max sessions are right.
>>
>> I found the invalidated sessions because we had reachability issues
>> when node0 spiked to ~240k Active Sessions and would not setup more
>> active sessions. My interpretation what that it wouldnt allow new
>> sessions because node0 active + node1 invalidated sessions were
>> near max sessions.
>>
>> This is why i was initially asking for monitoring of invalidated
>> sessions as they over time piled up on one of the nodes.
>>
>> Flo
>> --
>> Florian Lohoff                                                 f at zz.de
>>       We need to self-defend - GnuPG/PGP enable your email today!
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (GNU/Linux)
>>
>> iQIVAwUBVtSdR5DdQSDLCfIvAQooiA/+OzXjP/+1ka/YQseHwUK2eYuX/1udzHkl
>> Pa/qW8wraw3mrfZ20J7h3yu+ESY1MB0mSqL8otmqG/2hvToK15sl/GW9WFVihlgg
>> pxM8/yNhVVCJ94ybBjknpcghIki/ywoH8z1IFQ+/DAipD5rMgYlU55A7ozxtSXiZ
>> YQ47NYud2HVfkRIiYS9Hg3lhVTeXUGdR1UpmhYTSlkidMwsYh9JHEgY00Zxb53j+
>> Bu/ORUppsaeeIvUJ8qhMK9Wm47ZsNwShPRWoHi1nZ0NYrLBQj3KqLXP0w+a8zsIQ
>> aduF+ZvivduC+fAHLFAoERp4YCJu8l2LW7gWlO9euC8rSThbphGOSf93kOXvZ0/X
>> FCogcBU5/uAQRMLmz1wcJX/ztUCRcYF4qLzvyQPhfkYzbyqWNJeymJP6Rzt0iDyE
>> MkwilgIO3+DhSlSMTXt0+0t+mTxjrl7rhppC5ESNA2dzHzxiNpbgHDviXnKB5/V8
>> 52PqnPaoIQlEWTZnVvRqsGvKhUgCPQqpMHAvxMJKNogM/ChX0OCN+49zxf+t5L9t
>> K+a05ZghLlBXbkW3dDszgrWBxJXiiJwNPsH1sWdDswvzGTJPPzIiuEKrnHLS2aLs
>> 77nax+ODN7Al+dKeWih7EW0pRBJ2KUgO31LE2wb+CXKTWZnm5cTUXtSzZD8s6liQ
>> KUI0Q5LQG3g=
>> =kOzD
>> -----END PGP SIGNATURE-----
>>
>>
>
>
> --
> Michael Gehrmann
> Senior Network Engineer - Atlassian
> m: +61 407 570 658
>



-- 
Youssef BENGELLOUN-ZAHR


More information about the juniper-nsp mailing list