Invalidated sessions are norma but it's not normal to have an increasing number of invalidated sessions which then prevent the box from passing traffic. This is our experience which has happened twice in 3 months. We saw a ramp up of invalidated sessions which peaked and then stopped all traffic until a reboot was actioned.
Mike On 1 March 2016 at 06:34, Florian Lohoff <[email protected]> wrote: > On Mon, Feb 29, 2016 at 04:52:34PM +0100, Youssef Bengelloun-Zahr wrote: > > Here is JTAC feedback regarding this : > > > > "As I have understood it till now, the issue is with the invalidated > > sessions seen on the SRX. > > > > Seeing some number of invalidated sessions on the SRX is a normal > behavior. > > Each valid session for which a FIN is received would be moved to the > > invalidated sessions list and then discarded from the SRX completely. > > While a new session is getting established, it would be in the > invalidated > > sessions list until the tcp handshake completes and then the session is > > moved to the valid session list. > > Hence, the number of invalidated sessions seen at a particular time on > the > > SRX depends on the two factors mentioned above. > > > > Please confirm if you are referring to the following forum post :- > > http://kb.juniper.net/InfoCenter/index?page=content&id=KB23462 > > > http://forums.juniper.net/t5/SRX-Services-Gateway/What-is-the-quot-Invalidated-sessions-quot/td-p/172518 > > > > If yes, I have gone through the internal PR mentioned in that link and > > reviewed it. That PR is not applicable to the version 12.3X48-D20 which > is > > running on the SRX." > > > > I'm still for a feedback about which models / OS versions are affected by > > this. > > I had ~50k active Sessions on both - Node0 hat ~5k Invalidated > and node1 had 250k Invalidated sessions - Halve of the available 500k > max. After a reboot node1 is down to ~5k Invalidated sessions again. > > So - Yes - Invalidated sessions are normal and appear - but i dont > think half of the max sessions are right. > > I found the invalidated sessions because we had reachability issues > when node0 spiked to ~240k Active Sessions and would not setup more > active sessions. My interpretation what that it wouldnt allow new > sessions because node0 active + node1 invalidated sessions were > near max sessions. > > This is why i was initially asking for monitoring of invalidated > sessions as they over time piled up on one of the nodes. > > Flo > -- > Florian Lohoff [email protected] > We need to self-defend - GnuPG/PGP enable your email today! > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQIVAwUBVtSdR5DdQSDLCfIvAQooiA/+OzXjP/+1ka/YQseHwUK2eYuX/1udzHkl > Pa/qW8wraw3mrfZ20J7h3yu+ESY1MB0mSqL8otmqG/2hvToK15sl/GW9WFVihlgg > pxM8/yNhVVCJ94ybBjknpcghIki/ywoH8z1IFQ+/DAipD5rMgYlU55A7ozxtSXiZ > YQ47NYud2HVfkRIiYS9Hg3lhVTeXUGdR1UpmhYTSlkidMwsYh9JHEgY00Zxb53j+ > Bu/ORUppsaeeIvUJ8qhMK9Wm47ZsNwShPRWoHi1nZ0NYrLBQj3KqLXP0w+a8zsIQ > aduF+ZvivduC+fAHLFAoERp4YCJu8l2LW7gWlO9euC8rSThbphGOSf93kOXvZ0/X > FCogcBU5/uAQRMLmz1wcJX/ztUCRcYF4qLzvyQPhfkYzbyqWNJeymJP6Rzt0iDyE > MkwilgIO3+DhSlSMTXt0+0t+mTxjrl7rhppC5ESNA2dzHzxiNpbgHDviXnKB5/V8 > 52PqnPaoIQlEWTZnVvRqsGvKhUgCPQqpMHAvxMJKNogM/ChX0OCN+49zxf+t5L9t > K+a05ZghLlBXbkW3dDszgrWBxJXiiJwNPsH1sWdDswvzGTJPPzIiuEKrnHLS2aLs > 77nax+ODN7Al+dKeWih7EW0pRBJ2KUgO31LE2wb+CXKTWZnm5cTUXtSzZD8s6liQ > KUI0Q5LQG3g= > =kOzD > -----END PGP SIGNATURE----- > > -- Michael Gehrmann Senior Network Engineer - Atlassian m: +61 407 570 658 _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
