I have an NS5GT running 5.0.0r8.1 facing a DMZ with three load-balanced Microsoft IIS6 servers. There is a policy which allows all traffic to reach the DMZ with any protocol. Traffic flows fine to and from the servers through the Netscreen. However, the policy logging shows only bytes sent, no bytes received. Also, many (but not all) sessions show a Duration of ~1800 seconds, which is the protocol default (HTTPS), although a sniffer trace shows that the TCP session lasted only a few seconds. The sniffer trace shows the session being closed with the usual FIN sequence. It appears that the NS5 is not seeing the FIN sequence, and is therefore not dropping the session. The result is that a few users doing a lot of transactions is leaving a lot of TCP sessions open, and filling up the session table. I have enabled "arp always-on-dest" but that has not helped. Also, this situation is unique to the load-balanced servers. There are other hosts in the DMZ which do not exhibit this behavior.
What else can I try to resolve this situation?
Thanks,
Al