-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Maybe you should enable logging on your policy permit rules ( session-close) and see what logs says about reason for closing the session.
Regards, Piotr Bratkowski W dniu 2010-08-06 12:28, Pavel Lunin pisze: > > Hi Paul, > >> Thanks - it's looking like 1800 seconds.... >> >> p...@dis2.millbrook1> show security flow session destination-prefix >> 216.168.xxx.xxx >> Session ID: 434890, Policy name: Linux-to-Internet/8, Timeout: 1800 >> In: 216.168.xx.xxx/37820 --> 216.168.xxx.xxx/9103;tcp, If: vlan.11 >> Out: 216.168.xxx.xxx/9103 --> 216.168.xx.xxx/37820;tcp, If: >> ge-6/0/23.0 >> > This output shows it's 1800 seconds left till this particular > session will be aged out. This value decreases in time while no > packets are received along the session. Since 1800 is the default > ttl for tcp, most probably your devices send keepalives and this is > session is never aged out by the firewall except the devices stop > transmitting packets. > > When troubleshooting such things you must be sure what exactly > happens. Which part of the three stops sending or transmitting > packets. And only than you ask why this happens. > > — What does the output of "show security flow session" tell you at > the moment when the session hangs? > — What does the "close reason" field in correspondent traffic log on > the SRX look like? > — Did you check (using sniffer) that SSH client and server send > packets at the time when the SSH session hangs? Do they, really? > — If yes, check whether the packets reach the SRX. > — If the packets do reach the SRX, check (again with sniffer) > whether they are transmitted on the egress interface. Also whether > they reach the destination. > — If you see the packets really reach the SRX and don't leave it > through the egress interface, turn on [edit security flow > traceoptions] in order to trace stateful packet processing and > you'll definitely see the reason why packets are dropped (if they are). > > -- > BR, > Pavel > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMW+7uAAoJEFmGJVrtk3rV9IQIAJqPhyS/e0/l64CaYSA9GaOa N60893N0AKbD8b0pyNWxcNj97Rz7vbM2UuWywUFp1wCMv+3EuMRTuEphbhfxBxvf CidX9sK/AeKRajxbJiQNC0+spWTS1TeMxa7V+mU0mXTrSEM/u360Rxfn5tkHbiL1 TT4sqV+QWtaNHTaSkK5FKb89YlvmfZuWUUxqdHBllqeDJxDzKVwdzpyVo7njmAxA 9KM/8AyyDXuCn/2rkRo6YuNsHIIXca6X8L2i6yEL3MwanhxY0etwvwFf23IVC3/m u3dsAKRxoYvUPa1tpH+XNoGBn+1bTqD3lnWE7fvIpQsz1Kq0cJmn2AP21plB2aA= =mW7s -----END PGP SIGNATURE----- _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp