Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Session count different between nodes in "show security flow session summary"

0

0

Article ID: KB35113 KB Last Updated: 10 Oct 2019Version: 1.0
Summary:

This article explains why session counts could vary between the nodes of an SRX cluster, and whether any action must be taken to resolve the difference.

Symptoms:

Users may find a mismatch in the number of sessions between the nodes of an SRX cluster in the show security flow session summary output.

user@node0> show security flow session summary
node0:
--------------------------------------------------------------------------
Unicast-sessions: 1450 <<<<<<<<<<<<<
Multicast-sessions: 0
Failed-sessions: 0
Sessions-in-use: 1780
Valid sessions: 1450
Pending sessions: 0
Invalidated sessions: 330
Sessions in other states: 0
Maximum-sessions: 10485760

node1:
--------------------------------------------------------------------------
Unicast-sessions: 1699 <<<<<<<<<<<<<
Multicast-sessions: 0
Failed-sessions: 0
Sessions-in-use: 1846
Valid sessions: 1699
Pending sessions: 0
Invalidated sessions: 147
Sessions in other states: 0
Maximum-sessions: 10485760

Cause:

Some possible reasons for the values to be different are as follows:

  • By design, when a session is closed on the primary node, the session-close sync message (run-time object or RTO) is not immediately sent to the secondary node, but rather, the primary node waits and batch processes several RTOs together over to the backup node. This slight delay would cause sessions to exist on the secondary node that have already been closed on the primary node.

  • When stand-alone/orphan (non-reth) interfaces are used, sessions from these interfaces are not synchronized between nodes. They exist only on the node where the interface exists (unless Z-mode is in use).

  • When there is packet loss on the fabric link, it could cause session-create or session-close RTOs to be lost, which would affect session synchronization between nodes.

Solution:

As explained in the previous section, it is normal for these values to differ. However, if you have reason to suspect any fabric link issues, the following documentation might prove useful:

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search