Limit number of NAT sessions via IDS on MS-MIC-16G - possible ?
2 weeks ago
I am using MX-104 with MS-MIC-16G and would like to limit number of sessions per IP using IDS (I have a mixed NAT setup with napt-44, twice-napt-44, dnat-44, basic-nat44 rules, so it looks quite easy to implement it this way).
When I apply the configuration below, the routers stops forwarding and shows error unknown plugin junos-ids in log.
I've tried it with and without stateful-firewall rules section and it behaved the same.
Q: Does IDS really work on MX-104 with MS-MIC-16G? Has something else be turned on somewhere in config (in chassis setion for example) for this to work? Or is it a license issue?
Would you recommend any other way how to prevent resource exhaustion on MS-MIC in case of some attack?
Nov 23 23:49:24 my-gw (FPC Slot 0, PIC Slot 2) ms02 mspmand: Failed to enque session 0xe0590fdb0 to service set 1, svc_id 2
Nov 23 23:49:24 my-gw (FPC Slot 0, PIC Slot 2) ms02 mspmand: Failed to enque session 0xf179b5ef0 to service set 1, svc_id 2
(repeated dozen times, service seriously degraded because the new sessions could not be established)