Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Integrated AV (Anti-Virus) processes HTTP/1.0 differently from HTTP/1.1

0

0

Article ID: KB21690 KB Last Updated: 25 Aug 2011Version: 1.0
Summary:
This article describes the issue of 2000 sessions being created for traffic matching AV on SSG350.
Symptoms:
In testing, session ramp-up using IxLoad (Ixia), it was found that only 1998 AV sessions were created, even though the maximum AV sessions is 16,000.

Testing was performed on SSG350 running 6.2.0r10

<App Session>
Max. Sessions: 16000
Init. Sessions: 3200
Total Alloc Sessions: 111904
Total Free Sessions: 109906
Tcp Sessions: 1998
Active Sessions: 1998
Run out of packet count: 0

The 2000 count correlates to 'anti virus req queue size number: 2000' (from 'get sys-cfg | inc anti.virus'). This value means that the firewall can queue up to 2000 scan results. The firewall gets the scan results from the queue and permits or denies the traffic.

  • In HTTP/1.0, connection will be closed by default once server send all the data of "GET" to the client.
  • In HTTP/1.1, persistent connections are the default behavior of any connection (Refer to the relevant RFC).


Integrated AV (Anti-Virus) treats HTTP/1.0 different from HTTP/1.1 traffic.

With HTTP/1.0 traffic, the firewall does not send data to AV scanning until a FIN from the HTTP server is received. (Debug data 'HTTP: hdr conn: Close' means that it needs to wait for the FIN from the server ). Since the queue length is 2000 (anti virus req queue size number: 2000), only 2000 sessions are created.  Additionally, the requested data from the server with '2000 OK' is received by the firewall; but is not sent to the client and the firewall is waiting for the FIN from the server.



Relevent debug:

HTTP 1.0:

## 2011-07-21 12:06:49 : HTTP: hdr parse stage: 1
## 2011-07-21 12:06:49 : HTTP: hdr parse search result: 1
## 2011-07-21 12:06:49 : HTTP: hdr parse stage: 8
## 2011-07-21 12:06:49 : HTTP: hdr conn: Close   <<<<<<======== Firewall is waiting for FIN
## 2011-07-21 12:06:49 : HTTP: hdr parse stage: 1
## 2011-07-21 12:06:49 : HTTP: hdr parse search result: 12
## 2011-07-21 12:06:49 : HTTP: hdr parse stage: 1
## 2011-07-21 12:06:49 : HTTP: hdr parse search result: 11
## 2011-07-21 12:06:49 : HTTP: hdr parse stage: 14
## 2011-07-21 12:06:49 : HTTP: leftover hdr data! 189 1460
..
## 2011-07-21 12:06:49 : APPPRY: HTTP res header Connection close, res has body.
..
## 2011-07-21 12:06:49 : APPPRY: HTTP res body end by FIN for connection close.
..


HTTP 1.1:

## 2011-07-21 14:01:21 : HTTP: hdr parse stage: 1
## 2011-07-21 14:01:21 : HTTP: hdr parse search result: 11
## 2011-07-21 14:01:21 : HTTP: hdr parse stage: 14
## 2011-07-21 14:01:21 : HTTP: leftover hdr data! 170 1460
..
## 2011-07-21 14:01:21 : APPPRY: HTTP res header Content Length > 0, res has body.
..
## 2011-07-21 14:01:21 : APPPRY: HTTP res body end by content length.
Solution:
To resolve this issue, change the IxLoad setting for HTTP/1.0 traffic by enabling 'keep-alive' and choosing 'Maximum Possible' under 'Transactions per TCP connection'.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search