Juniper SRX Lower Maximum Sessions

juniperjuniper-junosjuniper-srx

On my SRX 1400 I see maximum sessions here:

show security flow session summary

This is what shows up now:

Unicast-sessions: 46795
Multicast-sessions: 0
Services-offload-sessions: 0
Failed-sessions: 931259
Sessions-in-use: 51465
  Valid sessions: 46337
  Pending sessions: 0
  Invalidated sessions: 128
  Sessions in other states: 0
Maximum-sessions: 1048576

My SRX can handle this number of sessions fine but the rest of my network can NOT.

How can I decrease the Maximum-sessions value?

Best Answer

You cannot decrease the maximum sessions value directly, but you can use Screen options to limit the maximum number of concurrent sessions per source- or destination IP. In your case I would expect a destination-based limit (see Juniper documentation).

For example:

security {
 screen {
  ids-option max-1000-sessions-per-host {
   limit-session {
    destination-ip-based 1000;
   }
  }
 }
 zones {
  security-zone untrust {
   screen max-1000-sessions-per-host;
  }
 }
}

However, it sounds really weird that your network is constrained by the number of sessions it can handle. This is usually only relevant for stateful devices like firewalls and load balancers, that are perfectly capable to drop exceeding traffic on their own. If it is bandwidth that's the problem, then there are probably better knobs to turn than session limits.

Related Solutions

How to log out of state sessions on Juniper SRX platform

Packets should be classified regardless of the TCP handshake being watched or not. If there isn't a session defined for that flow (fast path) a new one should be created (first path).

Do you have any screen configured?? Maybe it's the screen that's dropping the traffic.

More details on Troubleshooting Traffic Flows and Session Establishment

Maybe you can configure a log file with traceoptions:

security {
  flow {
        traceoptions {
            file trace_file;
            flag basic-datapath;
            packet-filter Match {
                protocol tcp;
                source-prefix <source-ip>;
                destination-prefix <dest-ip>;
                destination-port <tcp-port>;
            }
        }
    }
}

Beware of these traces, since it can cause high CPU load on the SRX if it's carrying a lot of traffic. Limit the filter as much as possible and run it during a maintenance window.

Juniper – Troubleshooting Unstable Uplink on SRX240 with VPN

With help from our service provider we've been able to localise the problem. The idea I had in my last comment proved correct: the difference between fast ethernet and gigabit ethernet was the source of the problem.

The reason for dropping connections, undeliverable packets and segmented packets was a mismatch in link mode between the fiber switch and the SRX - they hardcoded their port to 100m full duplex, but the SRX had automatic negotiation, which resolved to 100m half duplex.

The problem was further complicated by Juniper's odd configuration of speed and link mode. Just setting these configuration options wasn't enough:

speed 100m;
link-mode full-duplex;

This configuration was accepted, but when running show interfaces ge-0/0/0, it still showed:

Link-level type: Ethernet, MTU: 1514, Link-mode: Half-duplex, Speed: 100mbps,

Apparently, you have to explicitly disable auto-negotiation:

speed 100m;
link-mode full-duplex;
gigether-options {
    no-auto-negotiation;
}

In the end, I found that this guy had the exact same problem (and the solution!)

Thanks for all your help.

Best Answer

Related Solutions

How to log out of state sessions on Juniper SRX platform

Juniper – Troubleshooting Unstable Uplink on SRX240 with VPN

Related Topic