SRX Services Gateway
Highlighted
SRX Services Gateway

TCP inactivity timeout

‎08-20-2015 01:59 PM

How can someone change/configure the SRX so that ALL TCP flows will get a 7800 second inactivity-timeout, even if matching "application any"?

 

I have read and understand the lookup-order as documented here (http://www.juniper.net/techpubs/en_US/junos12.1x46/topics/concept/policy-application-contingency-und... but would like clarification/confirmation that if I adjust the inactivity-timeout for "junos-tcp-any" and no other explicit inactivity-timeouts, will that work?

 

Will that update the Root TCP/UDP port-based Timeout Table?

Or the Protocol-based Default Timeout Table?

Or just the Application Entry Table for junos-tcp-any?

 

Rakik
2 REPLIES 2
Highlighted
SRX Services Gateway

Re: TCP inactivity timeout

‎08-23-2015 04:16 PM

 

I've done some tests, and here's what I've found:

 

 - you can't modify the inactviity timeout in junos-tcp-any, I get commit errors when trying

 - you should create a new application object instead:

 

[edit applications]
root@SRX1# show

 

application tcp-any {
protocol tcp;
inactivity-timeout 7800;
}

 

- this still isn't enough though. In order to get the SRX to use this timeout you need to reference this application object in your policy.

 

So to do what you're asking for (ie all TCP connections have an increased timeout) you need to use custom application objects in every policy rule and have an increased timeout in each one.

 

Some experts might know of an easier way, but I haven't found any other way to do it.

 

 

Highlighted
SRX Services Gateway

Re: TCP inactivity timeout

‎08-23-2015 04:52 PM

Hi,

 

You should be able to modify the default group.

 

tim> show configuration applications | display set | match junos-tcp
set applications application junos-tcp-any term t1 inactivity-timeout never

# commit confirmed will be rolled back in 2 minutes
tim>

Just need to make sure that you apply the inactivity-timeout under the term t1 as this is how the default group is configured.

 

But yes from my experience you would need to define the timeout value for all applications used in the security policies.

 

Tim

Feedback