Unexplained High sessions & Cpu on Netscreen

  • Hi all

    i work for a company & we are running a 5200 , quite a big boy , i work in the NOC & am trying to find a solution , we have quite a large customer base behind the 5200 & are finding it quite dificult to track what is causing the high sessions.

    we have about 40 Vsys’s running in the firewall & it is proving to be a nightmare to try to identify what is causing the cpu to peak over 80% and we get over 200k sessions & it has even peaked at 1milion sessions on one occasion.

    bassically i am looking for some advise on how to identify per vsys what address range could be causing the cpu tp “spike” & the sessions

    PS , we are monitoring the sesions via SNMP but u can only get the total sessions via SNMP not per vsys.

    Thank you for any assistance

  • administrators

    Can you do some sniffing on the network to figure out where all the sessions are coming from? I would whack ntop (http://www.ntop.org) on a box, it will give you a neat little interface where you can see what hosts are spawning all of the connections.

    There are some commercial products that do the same thing, but this is free, and it will take you about 30 seconds to get it up and running.

  • We also have a pair of 5200-II. I just posted a subject:5200 problem before I read yours. We also encountered High CPU issue, but we only run one vsys. The Juniper support recommended 5.00r9a. Now, we encountered more serious problem. The firewall just stop passing traffic. We could ping and telnet to the unit, but not Webui and SSL. May I know which version of firmware is running on yours?

  • Hi All & thanks for the replies 😉
    1st- Raiden we dont use the 5200 as a router we have Juniper M160 doiong that job:)

    We have enabled screen limits of 2000 sessions a sec on any single IP
    we have been in constant contact with junipe/netscreen support & they too have advised us about running as little as possibel logging , which is what our current setup seems to be.

    but i wil check 0on the other items you mentioned

    we are actulay upgrading to the latest Screenos code next week , so lets hold thumbs for a seemless transition.

    thnx all

  • Don’t know if this is relevant for a big device such as your 5200, but I had a customer who started to use the netscreen as a router too, which made in his case, every domain-logon passing the netscreen, and in such way that for every request was a session was built up. In no time we hit its limits …


  • Not sure if you are still having this problem, but I did run into a few things that helped me in a similar situation.

    1> Turn down the logging levels. Juniper turns all logging options on to the debug level.
    2> Remove any logging for destinations not configured. eg, if you dont have a syslogger, dont tell the firewall to send logs there.
    3> set some session limits
    4> make sure you have adequate screen options enabled to protect against resource depletion (DOS, DDOS) attacks.

  • Sorry but can anyone offer any advise ?