10-22-2009 02:10 PM
I'm using a J6350 in a JSRP (running Junos 9.6R1) cluster... with the Internet in the Untrust zone and a dmz with FTP servers in it... I have a policy setup to allow Untrust to dmz with the junos-ftp built in policy... and if I connect to the ftp servers... run a directory listing and then let the connection sit... it will timeout on the firewall within 5 minutes.
I have the same issue with SSH to the ftp servers from the Trust zone, where the policy permits all applications. And SSH to the J6350 will also timeout rather quickly(I haven't timed it exactly). I thought the TCP timeout was 30 minutes by default. Anyone know how to fix this?
10-22-2009 10:23 PM
This may not be session timeout issue. Check in your session table to see if you see the session for the traffic or not (show security flow session). You can also enable flow traceoptions to get an idea of how the J-series is handling the traffic. You may need to disable TCP syn-check and sequence check (in security flow tcp-session hierarchy).