Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Cannot establish a connection to the server after several minutes of activity.

0

0

Article ID: KB5171 KB Last Updated: 22 Jul 2010Version: 3.0
Summary:
Cannot establish a connection to the server after several minutes of activity.
Symptoms:
Running application through a VPN tunnel Session times out on NetScreen Server application timeout larger than NetScreen service timeout
Client application is unable to re-establish a connection to the server after several minutes of activity.

Solution:

NetScreen will not allow tcp-non-syn packets through a tunnel without a matched session. In ScreenOS 3.0.1 and higher, 'unset flow tcp-syn-check-in-tunnel' was added to the CLI to allow the creation of a new session without a SYN packet.

Here is the problem or goal:

  • Client application is unable to re-establish a connection to the server after several minutes of activity.

Problem Environment:

  • Running application through a VPN tunnel
  • Session times out on NetScreen
  • Server application timeout larger than NetScreen service timeout

Causes of this problem:

  • Sometimes a session will age out on the NS1000 before the client/server application will age out the session. The client/server will try to use the aged out session and will not send a SYN packet to begin to establish a new session. All versions of ScreenOS checks for a SYN packet before allowing a session to be created through a tunnel. By default, all TCP packets that are not SYN packets are dropped if a session does not exist.

Applicable Products:

  • NetScreen-5XP
  • NetScreen-10
  • NetScreen-25
  • NetScreen-50
  • NetScreen-100
  • NetScreen-204
  • NetScreen-208
  • NetScreen- 500
  • NetScreen-1000

Applicable ScreenOS:

  • 2.6.0
  • 2.6.1
  • 2.7.1
  • 2.8.0
  • 3.0.0
  • 3.0.1
  • 3.0.2
  • 3.0.3
  • 3.1.0
  • 4.0.0
  • 4.0.0-DIAL


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search