This article provides information about the event that triggers the CP/Flow session table full alarm on SRX devices.
There can be two scenarios.
1. when my total cp session capacity is higher than the total of max flow session capacity of all SPUs.
Example: In SRX 3600 without extreme license we will have around 2.3 Mil Cp session capacity, In the same box if we use just 2 SPU, the total of max flow session of both SPU will account to around 1.5 Mil session capacity.
2. When my total cp session capacity is lower than the total of max flow session capacity of all SPUs.
Example: In SRX 3600 without extreme license we will have around 2.3 Mil Cp session capacity, In the same box if we use just 4 SPU, the total of max flow session of both SPU will account to around 3.5 Mil session capacity.
In case 1: when my total cp session capacity is higher than the total of max flow session capacity of all SPUs.
When the session table of the flow SPU is full, the failed-sessions counter increases, if new sessions are created on this SPU:
root@srx01> show security flow session summary no-forwarding Flow Sessions on FPC6 PIC0: Unicast-sessions: 40865 Multicast-sessions: 0 Failed-sessions: 6911884 Sessions-in-use: 43129 Valid sessions: 41415 Pending sessions: 0 Invalidated sessions: 1613 Sessions in other states: 0 Maximum-sessions: 524288 Flow Sessions on FPC7 PIC0: Unicast-sessions: 81946 Multicast-sessions: 0 Failed-sessions: 13446487 Sessions-in-use: 86637 Valid sessions: 83570 Pending sessions: 0 Invalidated sessions: 2652 Sessions in other states: 0 Maximum-sessions: 1048576
In Case 2: When my total cp session capacity is lower than the total of max flow session capacity of all SPUs.
However, it is rare that the following alarm is simultaneously generated in syslog:
Feb 13 11:11:57 2011 XJMobile-SRX3600 alarmd[1071]: Alarm set: SESSION TABLE color=YELLOW, class=ETHER, reason=CP/Flow session table full Feb 13 11:11:57 2011 XJMobile-SRX3600 craftd[1072]: Minor alarm set, CP/Flow session table full
This alarm is generated, when the CP current session is greater than the sum of the max flow sessions of all SPUs. The alarm is cleared, when the CP current is less than or equal to the sum of the max flow sessions of all of the SPUs.
To obtain the current number of CP sessions, use either of the following commands:
=== SPU5.0, node0.fpc5.pic0 flowd> show usp cp flow stats CP Flow Statistics IPv4 current flows 1818546 Or show snmp mib get 1.3.6.1.4.1.2636.3.39.1.12.1.1.1.6. root@BJBJ-DCD-FW-SRX3600-2> show snmp mib get 1.3.6.1.4.1.2636.3.39.1.12.1.1.1.6.5 jnxJsSPUMonitoringCurrentFlowSession.5 = 1818546 The sum of the maximum flow sessions can be obtained via either of the following commands: srx-cprod.sh -s spu -c "show usp flow session summary" | grep Total root@BJBJ-DCD-FW-SRX3600-2% srx-cprod.sh -s spu -c "show usp flow session summary" | grep Total Total sessions 524288 Total sessions 1048576 or show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.12.1.1.1.7. root@BJBJ-DCD-FW-SRX3600-2> show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.12.1.1.1.7 jnxJsSPUMonitoringMaxFlowSession.5 = 524288 jnxJsSPUMonitoringMaxFlowSession.6 = 1048576