ScreenOS Firewalls (NOT SRX)
Reply
Visitor
zurawdom
Posts: 2
Registered: ‎09-10-2008
0

JTAC Case 2010-0416-0124 - Problem with ClearCase traffic passing thru firewall

Dear all,

 

I am looking for possible soutions guidelines about problem which can be read under following JTAC case number:

 

Case 2010-0416-0124

 

Basicly we are having problem with UDP fragmented packets which are passing thu our ISG-2000 platform.

Some packets are dropped and retransmission takes about 3 sec. That is most probably related to the FCB 3 sec delay. The traffic is ASIC process. More data can be found under Case 2010-0416-0124 including snoop and detailed desc. to the soop.

 

firewall (M)-> get sess frag
Fcb expired time is 3 second
Defrag info in host system:
  Max 65536 fcbs in the system, 0 fcbs are in use.
  Max 6328 fragments can be queued, 0 fragments are queued now.
  Total 0 fragments received.
  Total 0 fragments passed defrag.
  Total 0 fragments failed in defrag.
  Total 0 fragments overlap happen.
  Total 0 are 1st fragments.
  Total 0 are non-1st fragments.
  Total 0 are out-of-order fragments.
  Total 0 fragments are aged out.
  Total 0 fragments from interfaces different from session's.

Defrag info in asic 0:
  Max 65536 fcbs in the system, 7 fcbs are in use.
  Max 1024 fragments can be queued, 0 fragments are queued now.
  Total 1146211798 fragments received.
  Total 1146174500 fragments passed defrag.
  Total 21377 fragments failed in defrag.
  Total 0 fragments overlap happen.
  Total 346248763 are 1st fragments.
  Total 799963035 are non-1st fragments.
  Total 2653760 are out-of-order fragments.
  Total 15921 fragments are aged out.

 

 

Anyone from JTAC might have a look and give me guidelines ?

 

Thank you in advance.

Visitor
LSA3
Posts: 5
Registered: ‎02-18-2009
0

Re: JTAC Case 2010-0416-0124 - Problem with ClearCase traffic passing thru firewall

if you are using 6.1 + code on the ISG you can try setting a set no-hw-session under the policy and see if the problem disappears.

 

We were expereiencing the issue of huge number of TCP out of order packets, and when we redirected traffic off the ASIC problem disapperaed. currently JTAC is looking at the ASIC issue. status is pending.

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.