Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Example: Controlling Session Termination for J Series Services Routers
This example shows how to terminate sessions based on a timeout value or the number of sessions in the session table.
Requirements
Before you begin:
- Configure security zones. See Security Zones and Interfaces Overview.
- Configure security policies. See Security Policies Configuration Overview.
Overview
Junos OS terminates sessions normally under certain circumstances—for example, after receiving a TCP FINish Close or a RST (reset) message, when encountering ICMP errors for UDP, and when no matching traffic is received before the service timeout. When sessions are terminated, their resources are freed up for use by other sessions.
To control when sessions are terminated, you configure the router to age out sessions after a certain period of time, when the number of sessions in the session table reaches a specified percentage, or both. When the number of sessions in the session table reaches this percentage, the router begins to age sessions aggressively. When the number of sessions in the session table reaches the low-water mark, the router stops aggressively aging sessions.
Configuration
CLI Quick Configuration
To quickly terminate sessions based on a timeout value or the number of sessions in the session table, copy the following commands and paste them into the CLI:
set security flow aging early-ageout 2
set security flow aging high-watermark 90 low-watermark 50
set security flow tcp-session tcp-initial-timeout 280
set security flow tcp-session rst-invalidate-session
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To terminate sessions based on a timeout value or the number of sessions in the session table:
- Specify the number of seconds after which a session
is invalidated.[edit security flow]
user@host# set aging early-ageout 2 - Specify a percentage of sessions. [edit security flow]
user@host# set aging high-watermark 90 low-watermark 50 - Configure an explicit timeout value to
remove a TCP session from the session table.[edit security flow]
user@host# set tcp-session tcp-initial-timeout 280 - Configure any session that receives a
TCP RST message to be invalidated.[edit security flow]
user@host# set tcp-session tcp-initial-timeout 280
Results
From configuration mode, confirm your configuration by entering the show security flow command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]user@host# show security flowaging {
early-ageout 2;
low-watermark 50;
high-watermark 90;
}
tcp-session {
rst-invalidate-session;
tcp-initial-timeout 280;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Troubleshooting with Logs
Purpose
Use these logs to identify any issues.
Action
From operational mode, enter the show log messages command and the show log dcd command.
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Understanding Session Characteristics for J Series Services Routers
- Example: Accommodating End-to-End TCP Communication for J Series Services Routers
- Example: Disabling TCP Packet Security Checks for J Series Services Routers
