Example: Controlling Session Termination for SRX Series Services Gateways

This example shows how to terminate sessions for SRX Series devices based on aging out after a certain period of time, or when the number of sessions in the session table is full or reaches a specified percentage. You specify a timeout value or the number of sessions in the session table.

Requirements

Before you begin, understand the circumstances for terminating sessions. See Understanding Session Characteristics for SRX Series Services Gateways.

Overview

You can control session termination in certain situations—for example, after receiving a TCP FIN Close or receiving an RST message, when encountering ICMP errors for UDP, and when no matching traffic is received before the service timeout. When sessions are terminated, their resources are freed up for use by other sessions.

In this example, you configure the following circumstances to terminate the session:

A timeout value of 20 seconds.
An explicit timeout value of 280 seconds, after which the TCP session is removed from the session table.
Any session that receives a TCP RST (reset) message is invalidated.

Configuration

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To control session termination for SRX Series devices:

Specify an ageout value for the session.
[edit security flow]user@host# set aging early-ageout 20
Configure an aging out value.
[edit security flow]user@host# set tcp-session tcp-initial-timeoout 280
Invalidate any session that receives a TCP RST message.
[edit security flow]user@host# set tcp-session rst-invalidate-session
If you are done configuring the device, commit the configuration.
[edit ]user@host# commit

Verification

To verify the configuration is working properly, enter the show security flow command.