Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Long, active sessions missing on backup NSRP firewall

0

0

Article ID: KB7701 KB Last Updated: 13 May 2020Version: 6.0
Summary:

Sessions are cleared in the NSRP backup unit.  When firewall fails over, existing sessions fail or packets are dropped.  Also includes explanation of session timeout behavior on backup firewall.

Symptoms:

Sessions on the backup firewall are cleared before the session is closed on the master.  Therefore, in case of a fail over, the traffic gets interrupted.

Long, active sessions missing on the backup firewall could be 'as-expected'.  Here's why, with an explanation of the session timeout behavior on the backup firewall:

  • When a new session is created on a pair of firewalls configured with NSRP, the session is created on the master with the configured session timeout/ageout, e.g 1800 seconds for a TCP session.
  • When the session is sync'd over to the backup firewall, the session is created with a timeout value of 8 times that of the timeout created on the master, e.g 14400 seconds for a TCP session.
  • The session timeout value will continue to count down on the backup, even as the session timeout on the master is refreshed.
  • If a session is closed on the master, then the session will be closed on the backup. 
  • However, if a session continues to stay open on the master, and the timeout on the back up is reached, then the session on the backup will be closed.  The problem with this is that if a failover does occur, the session will not exist, so it could drop the traffic for that session. 
Solution:

Set the following command on the firewall:

set nsrp rto session ageout-ack

With this command set, the backup firewall checks with master firewall before removing the session table entry in the following two conditions:

  1. If master firewall's session is active, then the session timeout value is reset to 8 times (just like session initiation).

  2. If master firewall's session is active, but the timer is not at the service maximum (i.e. the timer is counting down because traffic is not matching the session), then set backup’s session lifetime equal to master’s.

This command is also documented in the ScreenOS 6.3 IPv4 CLI Reference Guide: Command Descriptions manual:

  session ageout-ack     Specifies a time value based on which the backup device sends an ack message to the primary device to refresh its sessions or time them out.

The session age-out value of a backup device is eight times that of the primary device.

Modification History:
2020-05-03: Article reviewed for accuracy. Added [ScreenOS] tag in the title. Replaced command reference guide hyperlink from ScreenOS 6.0 to 6.3.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search