Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How is the session timeout adjusted after failover occurs in NSRP Active/Passive enviornment

0

0

Article ID: KB10027 KB Last Updated: 30 Jan 2012Version: 5.0
Summary:
When a failover occurs with a pair of Active/Passive firewalls, how is the timeout for the sessions adjusted?
Symptoms:
When a failover occurs with a pair of Active/Passive firewalls running NSRP, how is the timeout for the sessions adjusted?
Solution:

In a NSRP Active/Passive environment, the sessions on the backup firewall are created with a timeout of 8 times the 'defined service-timeout on the master firewall'.   If the firewall fails over from Master to Backup, the following happens with the timeout settings:

  1. The new backup firewall will be automatically adjust the service timeout to be 8 times the defined service-timeout.
  2. The new master firewall will keep the session service timeout as earlier, until the new packet coming in refreshes the session timeout to be the defined service-timeout.

In other words, the new master firewall won't decrease the session timeout  to the defined service-timeout until a new packet comes in that matches the session and therefore causes the timeout to be reset to the defined service-timeout.


For example:
FWA (master) has a session with a timeout that has decremented from a defined service timeout of 1800 seconds to 1680 seconds, and the corresponding session on FWB (backup) has decremented from 14400 seconds to 14280 seconds:

FWA (master) session A has timeout value of 1680 sec
FWB (backup) session A has timeout value of 13440 sec

A failover occurs.  The timeout settings will be as follows:

FWB (new master) session A will have timeout value of 13440 seconds, until the new packet coming in refreshes it.
FWA (new backup) session A will have timeout value of 14400 seconds.

 


Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search