Hi Hermod,
The central point (CP) architecture has two basic flow functionalities: load balancing and traffic identification (global session matching). As described in this topic, the central point architecture is implemented either in centric mode, in which all session distribution and session matching is performed by the central point, or in mixed-mode, in which a percentage of Services Processing Unit (SPU) is dedicated to performing the central point functionality.
More below:
https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/security-processing-overview.pdf
CP NACK is a response received on a "Session Close" action. CP NACK means there’s a conflict on the CP and the session cannot be installed.
CP sends a delete session message to SPU to delete the SPU session, usually, it is used when CP finds conflict session/invalid session request on cp, it would delete one and keep the other."
For example when multiple icmp packets using same source IP/port & destination IP/port (in the icmp session the source port means the ICMP sequence number and the destination port means the ICMP identifier) comes into the SRX, the CP sends the NACK to SPU to delete the conflict session and the log would be generated.
As per my understanding, it is a negative acknowledgment received as a response for CP Session. It could be due to a CP Session leak. When valid CP session has no corresponding SPU session; it means there is a CP session leak, because valid CP session depends on SPU session to delete it. If there is no SPU session, the valid CP session cannot age out and cannot delete manually.
This will not lead to traffic drop, it will delete the conflict session and allow the traffic through the existing session and generates this error. There is no impact due to this message.
Hope this helps 🙂
Please mark "Accepted Solution" if this helps you solve your query.
Kudos are always appreciated!