SRX

Does anyone have an idea how the SRX behaves when it reaches the maximum session limit with UTM and IDP enabled?

Does it queue the exceeding sessions? Does it drop them? Does it adopt a 'permit-all' attitude in order to survive the load, but effectively being in a vulnerable overflow state? Does it crash altogether?

 

Thanx.

#sessions
#Overflow

Hello,

This is explained in SRX techdocs

 

 

sessions-per-client
{limit value;
         over-limit (log-and-permit | block);
}
Hierarchy Level
[edit security utm utm-policy policy-name traffic-options]

 http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-cli-reference/utm-security-sessions-per-client-statement.html

 

 

over-limit (log-and-permit | block);
Hierarchy Level
[edit security utm utm-policy policy-name traffic-options sessions-per-client]
Release Information

Statement introduced in Release 9.5 of JUNOS Software.
Description

In an attempt to consume all available resources and hinder the ability of the device, a malicious user might generate a large amount of traffic all at once. To prevent such activity from succeeding, you can impose a session throttle to limit sessions and configure an action to occur when the limit is exceeded.
Options

    * log-and-permit—Log the error and permit the traffic
    * block—Log the error and deny the traffic

 

 

http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-cli-reference/utm-security-over-limit-statement.html

 

HTH

Regards

Alex

 

Set the above limts as suggested or your box will just DIE when it hits the limit.

 

We found this out the hard way.. It appears the default for most session types if nothing is set is unlimited, and by default it will not do anything about it so an SRX will happily consume all of its own resources then services will just start failing and cause the box to stop passing traffic.

Parameters can be set on the session table controlling how to respond when it fills.  More information can be found here.  And I believe the default sesson timer is 30 minutes.

Thank you guys for the great insight. Especially the part that mentions the control over session termination is really helpful. Still let me explain my somewhat extreme scenario here in order for you guys to get a clearer idea:

I have session control as suggested in older posts to a max of 50 sessions per user and when exceeded then block. But I have a case than many users may reach the 50 sessions/sec limit. My question is what is going to happen when all the users will have used up their 50 sessions/sec and at the same time max session limit will also have been reached.

Let's say we have 320 users that use up 50 sessions. This gives us 16.000 sessions which is the max limit for a small SRX100H. At that particular point in time - and for as long as the situation will last - how will the SRX react?

Will it die? Will it drop packets in order to survive? Will it age sessions and close them aggressively (I mean by default not a result of security flow config), will it hit 100% cpu time and totally degrade performance? And if performance is indeed degraded will I experience the normal FIFO condition, or will I lose packets due to timeouts?

Would you recommend setting the session limits at all? My SRX240 running Junos 10.0R3 recently crashed when IDP is enabled I cant keep it up and running for a week. I left my session limts to its default values should I change them? would that help?

 

I am only running IDP not UTM.

 

Thanks

 

 

Are you monitoring the box? It should be very easy to tell by the SNMP session count if that is the issue.. If it is an unrelated BUG crashing the system, they you are best to open a ticket with support.

This is what I get from a show system summary output

 

Session summary:
  Unicast-sessions: 976
  Multicast-sessions: 0
  Failed-sessions: 0
  Sessions-in-use: 976
  Maximum-sessions: 65536

Usually I dont go over 1100 sessions-in-use maximum based on SNMP logs is 1243 sessions

As I can tell you have no issue with the max number of sessions. You should check if the macjine is thrashing by doing a 

show system core-dumps and seeing if you have any files in there. If all it says is No such file or directory

 then you are all-right. But still your issue is real. So I propose opening a case with the JTAC.

 

In regard to my issue: I have read that max sessions with UTM go to half the original value. I have a small srx210 at home to play with and I see that even though it is tha high memory model when I do show security flow session summary I get

Session summary:  

Unicast-sessions: 6  

Multicast-sessions: 0  

Failed-sessions: 0  Sessions-in-use: 6  

Maximum-sessions: 32768  

 

This is the expected value according to the specs BUT when I do  show security utm session I get

 

 UTM session info:

 Maximum sessions:                 4000   

 Total allocated sessions:         1945

 Total freed sessions:             1845

 Active sessions:                  0

 

 

I would have to look at our config but there is another threshold parameter that at a set % the srx should start timing out sessions faster than the normal setting thus helping prevent hitting 100%.