Understanding Session Characteristics for SRX Series Services Gateways

Sessions are created, based on routing and other classification information, to store information and allocate resources for a flow. Sessions have characteristics, some of which you can change, such as when they are terminated. For example, you might want to ensure that a session table is never entirely full to protect against an attacker’s attempt to flood the table and thereby prevent legitimate users from starting sessions.

Depending on the protocol and service, a session is programmed with a timeout value. For example, the default timeout for Transmission Control Protocol (TCP) is 30 minutes. The default timeout for User Datagram Protocol (UDP) is 1 minute. When a flow is terminated, it is marked as invalid, and its timeout is reduced to 10 seconds.

If no traffic uses the session before the service timeout, the session is aged out and freed to a common resource pool for reuse. You can affect the life of a session in the following ways:

• You can specify circumstances to terminate sessions by using any of the following methods:
  • Age out sessions based on how full the session table is.
  • Set an explicit timeout for aging out TCP sessions.
  • Configure a TCP session to be invalidated when it receives a TCP RST (reset) message.
• You can configure sessions to accommodate other systems as follows:
  • Disable TCP packet security checks.
  • Change the maximum segment size.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• SRX Series Services Gateways Processing Overview
• Understanding How to Obtain Session Information for SRX Series Services Gateways
• Clearing Sessions for SRX Series Services Gateways
• Example: Controlling Session Termination for SRX Series Services Gateways (CLI)