I have a Juniper Netscreen SSG-140.
While experimenting with a VoIP service, I defined a custom policy that was to be used to permit the possible ports in use to be sent back to the VoIP server from systems connecting across the internet. Because I'd had problems in the past with VoIP systems getting broken when their UDP sessions were expired out faster than their keep-alives were generated, I set the timeout on this custom service to be 'never'.
After much experimentation, I happened to notice that my session count on the firewall has grown from a couple thousand to over 36000.
After discussion with the VoIP "expert", I set the timeout to be 30 minutes; however, all the sessions set up during the experimentation process are still there, more than 3 days later.
Is there a way I can force these old sessions to get expired and removed from the session table, or am I looking at resetting my firewall?
(Both firewalls, actually -- they are in a cluster.)
You can use the
clear session
command. The trick is which sessions to clear. The easy way out isclear session all
, but that's almost as bad as resetting the entire firewall (except users will be able to reestablish their connections immediately rather than waiting for the firewall to come back up).Look at the options to the
clear session
command. Depending on your situation, you can probably narrow down the sessions to clear based onsrc-ip
,dst-port
, etc.You can use
get session
to see all of the sessions. Since it's a very large list, you can doget session > tftp x.x.x.x filename
to TFTP a copy of the session table somewhere that you can sort through offline.