Example: Controlling Session Termination for SRX Series Services Gateways (CLI)

JUNOS Software terminates sessions normally in certain situations—for example, after receiving a TCP FINish Close or receiving a RST (reset) message, when encountering Internet Control Message Protocol (ICMP) errors for User Datagram Protocol (UDP), and when no matching traffic is received before the service timeout. When sessions are terminated, their resources are freed up for use for other sessions.

To control when sessions are terminated, you configure the device to age out sessions after a certain period of time, when the number of sessions in the session table reaches a specified percentage, or both.

• To terminate sessions based on a timeout value or the number of sessions in the session table, you can use the following set security flow command to specify the number of seconds in tens of seconds after which a session is invalidated. The following command ages out sessions after 20 seconds:

  user@host# set security flow aging early-ageout 2

• To configure an explicit timeout value, use the following command. This set security flow command removes a TCP session from the session table after 280 seconds.

  user@host# set security flow tcp-session tcp-initial-timeout 280

• To cause any session that receives a TCP RST message to be invalidated, use the following command:

  user@host# set security flow tcp-session rst-invalidate-session

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Understanding Session Characteristics for SRX Series Services Gateways
• Example: Disabling TCP Packet Security Checks for SRX Series Services Gateways (CLI)
• Example: Setting the Maximum Segment Size for All TCP Sessions for SRX Series Services Gateways (CLI)