On Mon, Feb 29, 2016 at 04:52:34PM +0100, Youssef Bengelloun-Zahr wrote: > Here is JTAC feedback regarding this : > > "As I have understood it till now, the issue is with the invalidated > sessions seen on the SRX. > > Seeing some number of invalidated sessions on the SRX is a normal behavior. > Each valid session for which a FIN is received would be moved to the > invalidated sessions list and then discarded from the SRX completely. > While a new session is getting established, it would be in the invalidated > sessions list until the tcp handshake completes and then the session is > moved to the valid session list. > Hence, the number of invalidated sessions seen at a particular time on the > SRX depends on the two factors mentioned above. > > Please confirm if you are referring to the following forum post :- > http://kb.juniper.net/InfoCenter/index?page=content&id=KB23462 > http://forums.juniper.net/t5/SRX-Services-Gateway/What-is-the-quot-Invalidated-sessions-quot/td-p/172518 > > If yes, I have gone through the internal PR mentioned in that link and > reviewed it. That PR is not applicable to the version 12.3X48-D20 which is > running on the SRX." > > I'm still for a feedback about which models / OS versions are affected by > this.
I had ~50k active Sessions on both - Node0 hat ~5k Invalidated and node1 had 250k Invalidated sessions - Halve of the available 500k max. After a reboot node1 is down to ~5k Invalidated sessions again. So - Yes - Invalidated sessions are normal and appear - but i dont think half of the max sessions are right. I found the invalidated sessions because we had reachability issues when node0 spiked to ~240k Active Sessions and would not setup more active sessions. My interpretation what that it wouldnt allow new sessions because node0 active + node1 invalidated sessions were near max sessions. This is why i was initially asking for monitoring of invalidated sessions as they over time piled up on one of the nodes. Flo -- Florian Lohoff f...@zz.de We need to self-defend - GnuPG/PGP enable your email today!
signature.asc
Description: Digital signature
_______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp