Example: Controlling Session Termination for J Series Services Routers
This example shows you how to terminate sessions based on a timeout value or the number of sessions in the session table.
Requirements
Before you begin:
- Configure security zones. See Security Zones and Interfaces Overview.
- Configure security policies. See Security Policies Configuration Overview.
Overview
JUNOS Software terminates sessions normally in certain situations—for example, after receiving a TCP FINish Close or receiving a RST (reset) message, when encountering Internet Control Message Protocol (ICMP) errors for UDP, and when no matching traffic is received before the service timeout. When sessions are terminated, their resources are freed up for use for other sessions.
To control when sessions are terminated, you configure the router to age out sessions after a certain period of time, when the number of sessions in the session table reaches a specified percentage, or both.
Configuration
CLI Quick Configuration
To quickly terminate sessions based on a timeout value or the number of sessions in the session table, copy the following commands and paste them into the CLI:
[edit security flow]
set aging early-ageout 2
set aging high-watermark 90 low-watermark 50
set tcp-session tcp-initial-timeout 280
set tcp-session rst-invalidate-session
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To terminate sessions based on a timeout value or the number of sessions in the session table:
- Specify the number of seconds in tens of seconds
after which a session is invalidated. In this example, the session
ages out after 20 seconds.
[edit security flow]
user@host# set aging early-ageout 2
- Specify a percentage of sessions. When the number
of sessions in the session table reaches this percentage, the router
begins to age sessions aggressively. When the number of sessions in
the session table reaches the low-water mark, the router stops aggressively
aging sessions.
[edit security flow]
user@host# set aging high-watermark 90 low-watermark 50
- Configure an explicit timeout value to remove a
TCP session from the session table.
[edit security flow]
user@host# set tcp-session tcp-initial-timeout 280
- Configure any session that receives a TCP RST message
to be invalidated.
[edit security flow]
user@host# set tcp-session tcp-initial-timeout 280
Results
Confirm your configuration by entering the show security flow command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
user@host# show security flow
aging { early-ageout 2; low-watermark 50; high-watermark 90; } tcp-session { rst-invalidate-session; tcp-initial-timeout 280; }
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Troubleshooting with Logs
Purpose
Use these logs to identify any security flow issues.
Action
Enter these show log commands from operational mode.
user@host> show log messages
user@host> show log dcd
Related Topics
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices
- Understanding Session Characteristics for J Series Services Routers
- Example: Accommodating End-to-End TCP Communication for J Series Services Routers
- Example: Disabling TCP Packet Security Checks for J Series Services Routers