How can I expire non-active sessions on my Netscreen SSG140?

Posted by David Mackintosh on Server Fault See other posts from Server Fault or by David Mackintosh
Published on 2011-03-04T18:35:43Z Indexed on 2011/03/14 0:11 UTC
Read the original article Hit count: 582

Filed under:
|
|

I have a Juniper Netscreen SSG-140.

While experimenting with a VoIP service, I defined a custom policy that was to be used to permit the possible ports in use to be sent back to the VoIP server from systems connecting across the internet. Because I'd had problems in the past with VoIP systems getting broken when their UDP sessions were expired out faster than their keep-alives were generated, I set the timeout on this custom service to be 'never'.

After much experimentation, I happened to notice that my session count on the firewall has grown from a couple thousand to over 36000.

After discussion with the VoIP "expert", I set the timeout to be 30 minutes; however, all the sessions set up during the experimentation process are still there, more than 3 days later.

Is there a way I can force these old sessions to get expired and removed from the session table, or am I looking at resetting my firewall?

(Both firewalls, actually -- they are in a cluster.)

© Server Fault or respective owner

Related posts about juniper

Related posts about netscreen