SRX

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  GTP tunnel timeout doubt

    Posted 01-04-2019 10:26

    Hi, all,


    According to 

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-gprs-gtpv1-overview.html

    One can setup gtp tunnel idle-timeout to clean up hanging GTP tunnels through SRX, I don't quite understand how this feature works, GTP is over UDP, UDP sessions have default timeout value of 60 seconds, the UDP session of an inactive GTP tunnel over 60 seconds will be cleaned up automatically, how GTP inactive timer is ever going to be effective?



  • 2.  RE: GTP tunnel timeout doubt

    Posted 01-05-2019 03:21

    Hello,

    Firstly, if GTP Echo is enabled, its minimum interval is also 60 secs, according to 3GPP specs.

    So, with GTP Echo enabled on both sides, the SRX GTP-over-UDP session timing out is not going to be deternimistic.

    Thererefore, You'd want to increase SRX session inactivity-timeout for GTP protocol, to match the GTP Echo timeout settings in SGSN/GGSN|SGW/PGW, plus some margin on top to allow for delayed messages.

    HTH

    Thx

    Alex



  • 3.  RE: GTP tunnel timeout doubt
    Best Answer

     
    Posted 01-05-2019 04:40

    Hello John,

     

    As I understand you want to know how the gtp tunnel timeout value configured under the gprs gtp profile would take effect. Since it is UDP packet the UDP timeout should take effect.

     

    root@srx# set security gprs gtp profile gtp1 timeout ?
    Possible completions:
    <timeout> Tunnel idle timeout (1..1000 hour)

    root@srx> show configuration groups junos-defaults applications | display set | match gprs
    set groups junos-defaults applications application junos-gtp term t1 protocol udp
    set groups junos-defaults applications application junos-gtp term t1 destination-port 2123
    set groups junos-defaults applications application junos-gprs-gtp-c term t1 alg gprs-gtp-c
    set groups junos-defaults applications application junos-gprs-gtp-c term t1 protocol udp
    set groups junos-defaults applications application junos-gprs-gtp-c term t1 destination-port 2123
    set groups junos-defaults applications application junos-gprs-gtp-u term t1 alg gprs-gtp-u
    set groups junos-defaults applications application junos-gprs-gtp-u term t1 protocol udp
    set groups junos-defaults applications application junos-gprs-gtp-u term t1 destination-port 2152
    set groups junos-defaults applications application junos-gprs-gtp-v0 term t1 alg gprs-gtp-v0
    set groups junos-defaults applications application junos-gprs-gtp-v0 term t1 protocol udp
    set groups junos-defaults applications application junos-gprs-gtp-v0 term t1 destination-port 3386
    set groups junos-defaults applications application-set junos-gprs-gtp application junos-gprs-gtp-c
    set groups junos-defaults applications application-set junos-gprs-gtp application junos-gprs-gtp-u
    set groups junos-defaults applications application-set junos-gprs-gtp application junos-gprs-gtp-v0

     

    root@srx> request pfe execute target fpc0 command "show usp app-def udp" | match 2152
    udp port=2152, appl_name=junos-gprs-gtp-u, service type=75, alg id=75, timeout=90

     

    This is my understanding:

    > GTP as the name suggests is a GPRS tunneling protocol
    > While the outer header would be one UDP flow, it comprises of several tunneled IP flows. For eg.

    GTP UDP Packet X -> Y [ Encapsulated GRPS IP packet A -> B]
    GTP UDP Packet X -> Y [ Encapsulated GRPS IP packet C -> D]

    > The tunnels flows show up in the output of the command "show security gprs gtp tunnels detail" as below (IPs modified)

    node0:
    --------------------------------------------------------------------------
    FPC 0 PIC 0:

    FPC 0 PIC 1:

    Index: 0x01000015 GTAPI/L-GTAPI: 5/5(V1), Timeout: 147m <<<
    User: 192.168.10.242, 2b6e3f62 -> 192.168.20.163, 57bff5d2
    Ctrl: 192.168.10.241, 2b6e3a36 -> 192.168.20.154, ff7325a0

    Index: 0x01000195 EBI/JBI: 5/5(V2)to pgw, Timeout: 1024m <<<
    User: 192.168.30.33, 9ea009a6 -> 192.168.20.43, 048ff0a3
    Ctrl: 192.168.30.77, 9ea96680 -> 192.168.20.26, ff23a210

    > While the UDP tunnel may be active as long as there are some flows being tunneled, one or more tunneled flows may go idle which is where the above mentioned timeout kicks in to free up resources

     

    I hope this helps. Regards,

     

    Vikas

    Juniper CFTS Security



  • 4.  RE: GTP tunnel timeout doubt

    Posted 01-07-2019 15:39

    Thanks, that makes perfect sense. Do you have a link of the performance and scalability number of SRX platform handling GTP and SCTP traffic? i.e. numbr of STCP associations, GTP tunnels and throughput?



  • 5.  RE: GTP tunnel timeout doubt

     
    Posted 01-07-2019 21:33

    Hi John,

     

    For SRX5K running IOC2 SPC2 on 15.1X49.

    Max GTP U Tunnels 600000
    Max SCTP Associations 60000

     

    Regarding the throughput and performance numbers, I encourage you to reach out to our accounts team for better clarity with respect to your environment.

     

    Regards,

     

    Vikas