Active Session Count wrong

  • Hi,

    flipped master and backup ssg140s over.

    Since then the counter (snmp, web console) has been real value plus 300.
    Confirmed with “get session”

    tried clear counters all, clear snmp, clear sessions. Still wrong.

    new to junipers, loving it after time with WG.

    PS Since using Junipers I found juniper sites hard to find and navigate. The support pages were differcult. I used to use another juniper forum. looked more official had Juniper engineers respond but low traffic. last time I went there it it was shut for upgrading, warning I would have to register again. So is this new site, was that a special JTAC site or am i going mad. Do not really matter this site is much better to use.

  • Engineer

    It appears you’re using the same OID as me with my set up. I will say that there used to be a bug with a few versions of screenOS that would cause this to misreport. Any chance you’ve hit up JTAC on this issue yet?
                    <nsressessallocate><name>Active Sessions</name>

  • I am using Opmanager v7, they have some netscreens supported out of box.
    I used netscreen 50 device template. The session count matches web console.
    Waiting for SSG to be supported either by Advent, community or me.

    Here’s the OID they use.


  • Engineer

    Sorry what I meant was what OID are you using? (It was 5am and I wasn’t completely awake.)

  • i assume you mean user. using admin user with root privs.

  • Engineer

    And what is the uid that you are pulling?

  • Hi,

    took a couple.

    snmp  cmdline
    509    258
    543    286

  • Engineer

    Can you please post what is reported via web/snmp as well as an output of “get session info”?

  • Yes and the web console matches to snmp. At first I thought it was my new network management tool but console showed other wise.

  • Engineer

    Ah so your problem is that snmp polling of sessions is reporting something other than what you see via command line?

  • Tim,

    Actually no.

    I use active/passive. I did not set passive so I could manage it. I mistake I will rectify some time.

    The active or master is showing 360 in snmp/console. The cmd line shows 60. Can not see whats happening on passive/backup.

    After posting I read about the x8 on backup. This only comes into play if the snmp/console is reporting all sessions across active/passive which I am doubting.


  • Engineer

    Welcome to the site… Yes Juniper’s website sucks. The knowledge base is slightly better

    Hopefully I understood this question correctly. Basically you noticed that your master and backup firewall are reporting a different number of sessions via the “get session” or the “get session info” command?

    Could you please explain it a bit more? I want to make sure I understand your problem…

    If you just noticed that they are different (i.e the back up has more than the master, or the master has more after fail over…) This is normal.

    Upon session creation the Master firewall will send the session data to the back up firewall. The back up firewall then creates the same session with 8 times  (I believe it’s 8 times) the policies time out.

    An example of this is a telnet connection. The default time out for telnet is 30 minutes. Upon the first telnet packet the firewall will create a session on the master for 30 minutes (180 ticks). The master will then via NSRP pass the session data to the back up. At that time the back up will create the session with 1440 ticks as the time out.

    This isn’t a “problem” per say because when the connection is closed the master will also tell the back up to tear the connection down. But it will cause the back up firewalls session table to often be slightly larger than the masters. In events of fail over it will also falsely inflate the firewalls session table midly.