Understanding Policy Application Timeouts Contingencies

• If an application contains several application rule entries, all rule entries share the same timeout. The timeout table is updated for each rule entry that matches the protocol (for UDP and TCP—other protocols use the default). You need to define the application timeout only once. For example, if you create an application with two rules, the following commands will set the timeout to 20 seconds for both rules:
  user@host# set applications application test protocol tcp destination-port 1035-1035 inactivity-timeout 20

  user@host# set applications application test term test protocol udp

  user@host# set applications application test term test source-port 1-65535

  user@host# set applications application test term test destination-port 1111-1111
• If multiple custom applications are configured with custom timeouts, then each application will have its own custom application timeout. For example:
  user@host# set applications application ftp-1 protocol tcp source-port 0-65535 destination-port 2121-2121 inactivity-timeout 10

  user@host# set applications application telnet-1 protocol tcp source-port 0-65535 designating-port 2100-2148 inactivity-timeout 20

  With this configuration, Junos OS applies a 10-second timeout for destination port 2121 and a 20-second timeout for destination port 2100 in an application group.

• If you unset an application timeout, the default protocol-based timeout in the application entry database is used, and the timeout values in both the application entry and port-based timeout tables are updated with the default value.

  If the modified application has overlapping destination ports with other applications, the default protocol-based timeout might not be the desired value. In that case, reboot Junos OS, or set the application timeout again for the desired timeout to take effect.

• When you modify a predefined application and reboot, the modified application might not be the last one in the configuration. This is because predefined applications are loaded before custom applications, and any change made to a custom application, even if made earlier, will show as later than the predefined application change when you reboot.

  For example, suppose you create the following application:

  user@host# set applications application my-application protocol tcp destination-port 179-179 inactivity-timeout 20

  Later you modify the timeout of the predefined application BGP as follows:

  user@host# set applications application bgp inactivity-timeout 75

  The BGP application will use the 75-second timeout value, because it is now written to the application entry database. But the timeout for port 179, the port BGP uses, is also changed to 75 in the TCP port-based timeout table. After you reboot, the BGP application will continue to use the 75-second timeout that, as a single application, it gets from the application entry database. But the timeout in the TCP port-based table for port 179 will now be 60. You can verify this by entering the show applications application bgp command.

  The BGP application has no effect on single applications. But if you add BGP or my_application to an application group, the 60-second timeout value will be used for destination port 179. This is because application group timeout is taken from the port-based timeout table, if one is set.

  To ensure predictability when you modify a predefined application timeout, therefore, you can create a similar application, for example:

  user@host# set applications application my-bgp protocol tcp destination-port 179-179 inactivity-timeout 75