Benny, I've been working with the SRX since before it was in beta loading it up on a SSG550-M and netscreen previous to that. TCP keep alives, or any tcp packet that transverses that session has ALWAYS reset the timeout. The only time where you would see this "not working" is if you had a situation of asymmetric routing or some time of crazy load balancing through firewalls.
This is a basic system function, and yes, tcp-syn-checking has everything to do with the session timeout problem. With tcp-syn-checking ANY data packet (keepalive, syn, ack, or a normal data packet) can create a new session, or in this case reestablish an existing connection. Just so it's crystal clear here.. If you have syn checking on: You open up a connection. Connection times out All additional data meant for that specific session is dropped and a reset is sent in an attempt to reinitiate the connection (assuming tcp-rst is configured). The 3 way hand shake MUST take place for a new session to be created. If you have syn checking off: You open up a connection. Connection times out The moment any data packet comes that is allowed by security policy a session is created. I hope this clears things up. If you still doubt this feel free to reference juniper's documentation. http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-44055.html -Tim Eberhard On Mon, Nov 12, 2012 at 3:25 PM, Benny Amorsen <benny+use...@amorsen.dk> wrote: > Tim Eberhard <xmi...@gmail.com> writes: > >> The SRX's behavior is if any packet passes over that session to reset >> the timeout on that session, keep alive, data packet, whatever. As >> long as it matches that session it will reset the timeout to the >> default value and start decrementing again. So I'm not sure what you >> mean when it says dropping tcp sessions with active TCP keepalives. > > I proposed using TCP keepalives to keep sessions alive. Julien Goodwin > informed me that this did not work on the SRX, as of a few years ago. > > If that is fixed, all is well. > > None of which has anything to do with tcp-syn-checking. > > > /Benny _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp