Hi, JTAC point me to this PR : https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1061067
This ressembles a lot to our environment (cluster + LSYS) but we are not affected as we are running 12.3X48-D20. HTH. 2016-02-29 23:35 GMT+01:00 Michael Gehrmann <[email protected]>: > Invalidated sessions are norma but it's not normal to have an increasing > number of invalidated sessions which then prevent the box from passing > traffic. This is our experience which has happened twice in 3 months. We > saw a ramp up of invalidated sessions which peaked and then stopped all > traffic until a reboot was actioned. > > Mike > > On 1 March 2016 at 06:34, Florian Lohoff <[email protected]> wrote: > >> On Mon, Feb 29, 2016 at 04:52:34PM +0100, Youssef Bengelloun-Zahr wrote: >> > Here is JTAC feedback regarding this : >> > >> > "As I have understood it till now, the issue is with the invalidated >> > sessions seen on the SRX. >> > >> > Seeing some number of invalidated sessions on the SRX is a normal >> behavior. >> > Each valid session for which a FIN is received would be moved to the >> > invalidated sessions list and then discarded from the SRX completely. >> > While a new session is getting established, it would be in the >> invalidated >> > sessions list until the tcp handshake completes and then the session is >> > moved to the valid session list. >> > Hence, the number of invalidated sessions seen at a particular time on >> the >> > SRX depends on the two factors mentioned above. >> > >> > Please confirm if you are referring to the following forum post :- >> > http://kb.juniper.net/InfoCenter/index?page=content&id=KB23462 >> > >> http://forums.juniper.net/t5/SRX-Services-Gateway/What-is-the-quot-Invalidated-sessions-quot/td-p/172518 >> > >> > If yes, I have gone through the internal PR mentioned in that link and >> > reviewed it. That PR is not applicable to the version 12.3X48-D20 which >> is >> > running on the SRX." >> > >> > I'm still for a feedback about which models / OS versions are affected >> by >> > this. >> >> I had ~50k active Sessions on both - Node0 hat ~5k Invalidated >> and node1 had 250k Invalidated sessions - Halve of the available 500k >> max. After a reboot node1 is down to ~5k Invalidated sessions again. >> >> So - Yes - Invalidated sessions are normal and appear - but i dont >> think half of the max sessions are right. >> >> I found the invalidated sessions because we had reachability issues >> when node0 spiked to ~240k Active Sessions and would not setup more >> active sessions. My interpretation what that it wouldnt allow new >> sessions because node0 active + node1 invalidated sessions were >> near max sessions. >> >> This is why i was initially asking for monitoring of invalidated >> sessions as they over time piled up on one of the nodes. >> >> Flo >> -- >> Florian Lohoff [email protected] >> We need to self-defend - GnuPG/PGP enable your email today! >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.10 (GNU/Linux) >> >> iQIVAwUBVtSdR5DdQSDLCfIvAQooiA/+OzXjP/+1ka/YQseHwUK2eYuX/1udzHkl >> Pa/qW8wraw3mrfZ20J7h3yu+ESY1MB0mSqL8otmqG/2hvToK15sl/GW9WFVihlgg >> pxM8/yNhVVCJ94ybBjknpcghIki/ywoH8z1IFQ+/DAipD5rMgYlU55A7ozxtSXiZ >> YQ47NYud2HVfkRIiYS9Hg3lhVTeXUGdR1UpmhYTSlkidMwsYh9JHEgY00Zxb53j+ >> Bu/ORUppsaeeIvUJ8qhMK9Wm47ZsNwShPRWoHi1nZ0NYrLBQj3KqLXP0w+a8zsIQ >> aduF+ZvivduC+fAHLFAoERp4YCJu8l2LW7gWlO9euC8rSThbphGOSf93kOXvZ0/X >> FCogcBU5/uAQRMLmz1wcJX/ztUCRcYF4qLzvyQPhfkYzbyqWNJeymJP6Rzt0iDyE >> MkwilgIO3+DhSlSMTXt0+0t+mTxjrl7rhppC5ESNA2dzHzxiNpbgHDviXnKB5/V8 >> 52PqnPaoIQlEWTZnVvRqsGvKhUgCPQqpMHAvxMJKNogM/ChX0OCN+49zxf+t5L9t >> K+a05ZghLlBXbkW3dDszgrWBxJXiiJwNPsH1sWdDswvzGTJPPzIiuEKrnHLS2aLs >> 77nax+ODN7Al+dKeWih7EW0pRBJ2KUgO31LE2wb+CXKTWZnm5cTUXtSzZD8s6liQ >> KUI0Q5LQG3g= >> =kOzD >> -----END PGP SIGNATURE----- >> >> > > > -- > Michael Gehrmann > Senior Network Engineer - Atlassian > m: +61 407 570 658 > -- Youssef BENGELLOUN-ZAHR _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
