12.11.2012 15:55, James S. Smith пишет: > after the first hour (on a brand new session) > > Session ID: 29151, Policy name: vpn-usa2-out-postgres/7, Timeout: 20, Valid > In: 10.2.2.5/49214 --> 192.168.2.10/5432;tcp, If: vlan.3, Pkts: 3, Bytes: > 180 > Out: 192.168.2.10/5432 --> 10.2.2.5/49214;tcp, If: ge-0/0/15.0, Pkts: 0, > Bytes: 0 > Total sessions: 1 > > All subsequent sessions are crated with a 20 second timeout.
The session has not been really created yet. What you see here is an incomplete session, which never received a SYN-ACK reply from the server. See "Pkts: 0, Bytes: 0" for the reverse wing. SRX sets 20 sec timeout for such a state and it's OK. The question is why you don't get replies from the server and which relation its appearance has to the SRX reboot (if any). First try to understand whether packets of "subsequent" sessions ever reach the server (if now, do they really leave the SRX's interface), then where the server's replies go, etc. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp