Juniper and the kaspersky network agent/traffic

our administration kit server is in houston and i recently installed kaspersky in our Chicago location.   In the past i would usually install a slave server to act as the admin kit for the office.  However, for this office i used one of their servers as the update agent and rolled out kaspersky along with the network agent across the vpn tunnel.   Everything went well except a couple of days later their juniper firewall went down.    I pulled a session dump from my juniper and i see that there are 18000 connections and counting from my chicago office to my administration server.    I'm having to go in and periodically clear out the sessions.  

This may be more of a question suited for a juniper forum (and i'm going to post there as well) but does anyone have any ideas why my juniper would not close a session with my admin kit server before starting a new one?

Any help would be much appreciated.  Thanks so much!

techlindenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

deimarkCommented:
I suspect that the  firewall is not seeing the session closed gracefully hence the "stale" sessions seen.

I would perhaps consider deploying screen options on the affected zone where you see the stale sessions, and then limit the number of concurrent sessions to a reasonable amount for a given source or destination IP

HTH
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mindwiseCommented:
Hi TLinden,

"but does anyone have any ideas why my juniper would not close a session with my admin kit server before starting a new one"

I'm not sure if the above means that the Juniper is initiating sessions itself, or that it's clients behind the juniper that try to update through the tunnel..... i will (like DeiMark) assume it's the latter...

the reason the firewall would create a new session is that it likely sees a (new) session with a different sourceport.
The firewall cannot know if that session is related to another session (with a different source port) and will, if the policy permits this, create a new session. (good behavior).

Hence the question is more why the *unused?* session is not discarded...(in time)

I see that kaspersky uses both tcp as well as udp to update, in both cases a "timeout" will exist for each session, and every time a packet uses a session, that session timeout is refreshed to the protocol max. ( i.e. 5 minutes for HTTP).
Tcp sessions may also be closed if a fin fin-ack sequence was seen by the firewall.... it seems this does not happen...

Do you have very long timeouts for protocols defined that might lead to the session table being drained ?

the default timeout for udp is 1 minute, so unless you changed that, that's not the problem...
For any tcp apart from http, the default timeout is 30 minutes, and that might be too long in your case...

if you see in the session table the hanging sessions are indeed TCP and using a timeout of 30 minutes or more...
( 30 minutes x 60 / 10 = number of ticks)  = max timeout for such sessions in the session table is 180 ticks) then:

I would advice you to find the tcp ports Kaspersky uses to connect to the admin server, and create a service for those ports where you define a custom timeout value of i.e. 5 minutes... i think you'll find the session table clears the unused sessions quick enough then.

kr,

/M
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.