On 11/12/2012 08:34 PM, Tim Eberhard wrote:
The SRX's behavior is if any packet passes over that session to reset the timeout on that session, keep alive, data packet, whatever. As long as it matches that session it will reset the timeout to the default value and start decrementing again. So I'm not sure what you mean when it says dropping tcp sessions with active TCP keepalives.
It might be worth noting that, on some systems, the wait before keepalives start being sent is quite long.
For example, it's 7200 seconds of inactivity on Linux, which is probably too long; the firewall will have expired the session before they start probing.
OTOH, maybe he's found / is describing a bug. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
