Screen OS

Hello,

Was wondering if someone could help me with this question.  According to the config docs when a packet goes through the netscreen/ssg the device will look for an existing session if there isn't one there it will go on to a route lookup.  My question is what happens to existing sessions if I change a route on the firewall or dymanic routing changes the route?  Do these sessions get dropped as the nexthop has changed?  Or do the existing sessions get an update of the route somehow?   Just trying to work out the impact on users of a route change.  The answer wasn't apparent in the guides and I don't have a device to hand to test right now.

Many Thanks

RK

Hi RK,

I agree that it is not terribly well documented.

NetScreens keep software and hardware sessions. When a route changes (either dynamically, or bystatic route changes) a process goes through the software sessions, and changes the next hop mac address. The hardware sessions are then deleted, so that subsequent packets are directed to the CPU, and the software session is copied back into the hardware, so packets can be processed by ASIC again.

So in answer to your question, if a route changes (or indeed an arp address) the session will continue, and an internal process will direct the packets to the new next hop. This does raise the CPU load though.

The only exception to this is where the new next hop is in a different zone to the old one, in which case a whole first packet processing flow may be required.

Sam.