Example: Controlling Session Termination for J Series Services Routers

This example shows you how to terminate sessions based on a timeout value or the number of sessions in the session table.

Requirements

Before you begin:

Overview

JUNOS Software terminates sessions normally in certain situations—for example, after receiving a TCP FINish Close or receiving a RST (reset) message, when encountering Internet Control Message Protocol (ICMP) errors for UDP, and when no matching traffic is received before the service timeout. When sessions are terminated, their resources are freed up for use for other sessions.

To control when sessions are terminated, you configure the router to age out sessions after a certain period of time, when the number of sessions in the session table reaches a specified percentage, or both.

Configuration

CLI Quick Configuration

To quickly terminate sessions based on a timeout value or the number of sessions in the session table, copy the following commands and paste them into the CLI:


[edit security flow]


set aging early-ageout 2


set aging high-watermark 90 low-watermark 50


set tcp-session tcp-initial-timeout 280


set tcp-session rst-invalidate-session

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To terminate sessions based on a timeout value or the number of sessions in the session table:

  1. Specify the number of seconds in tens of seconds after which a session is invalidated. In this example, the session ages out after 20 seconds.

    [edit security flow]


    user@host# set aging early-ageout 2
  2. Specify a percentage of sessions. When the number of sessions in the session table reaches this percentage, the router begins to age sessions aggressively. When the number of sessions in the session table reaches the low-water mark, the router stops aggressively aging sessions.

    [edit security flow]


    user@host# set aging high-watermark 90 low-watermark 50
  3. Configure an explicit timeout value to remove a TCP session from the session table.

    [edit security flow]


    user@host# set tcp-session tcp-initial-timeout 280
  4. Configure any session that receives a TCP RST message to be invalidated.

    [edit security flow]


    user@host# set tcp-session tcp-initial-timeout 280

Results

Confirm your configuration by entering the show security flow command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.


user@host# show security flow
aging {
    early-ageout 2;
    low-watermark 50;
    high-watermark 90;
}
tcp-session {
    rst-invalidate-session;
    tcp-initial-timeout 280;
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Troubleshooting with Logs

Purpose

Use these logs to identify any security flow issues.

Action

Enter these show log commands from operational mode.


user@host> show log messages


user@host> show log dcd

Related Topics