No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The USG2210 Fails to Limit the Bandwidth

Publication Date:  2012-07-25 Views:  31 Downloads:  0
Issue Description
The limit connection number configured on the USG2210 cannot be viewed through the sniffer.
Connect to the host 61.*.*.*. The user name is obtained.
[8:09:23] - [28] user AN [61.*.*.*] connection
[8:09:23] - [28] ANONYMOUS: Current directory: E:\ftp\
[8:09:23] - [28] ANONYMOUS: Current directory: E:\ftp\
[8:09:33] - [28] ANONYMOUS: Current directory: E:\ftp\360\
[8:09:36] - [28] ANONYMOUS: Current directory: E:\ftp\360\AV\
[08:09:41] - [28] ANONYMOUS: Current directory: E:\ftp\360\AV\
[8:09:41] - [28] ANONYMOUS: Start to download E:\ftp\360\AV\360sd-upd.exe
[8:10:03] - [28] ANONYMOUS: File download succeeds: E:\ftp\360\AV\360sd-upd.exe (518.63 K/S - 11 683 616 bytes)
Alarm Information
None.
Handling Process
1. According to the capture information and snapshots provided by the customer, the traffic limiting rate is not reached.
2. Check the configuration:
firewall car-class 1 2000000
 firewall conn-class 1 10
 
acl number 3002
 rule 5 permit tcp source 10.0.0.0 0.0.0.255
 rule 10 permit tcp source 10.0.3.0 0.0.0.255
 
firewall zone trust
 set priority 85
 add interface Ethernet0/0/1
 ip-car enable
 ip-conn tcp inzone 1 acl-number 2000
 ip-car inzone 1 acl-number 2000
 ip-car outzone 1 acl-number 2000
 ip-car inzone filter acl-number 3002
 ip-car outzone filter acl-number 3002
 ip-conn inzone filter acl-number 3002
 ip-conn outzone filter acl-number 3002
3. The traffic limiting function is configured for TCP connections. Therefore, other connections are not limited. Configure the traffic limiting function for IP addresses. Change rule 5 permit tcp source 10.0.0.0 0.0.0.255 to rule 5 permit ip source 10.0.0.0 0.0.0.255.
4. After the configuration is modified, the traffic limiting succeeds.
Root Cause
For the IP-CAR traffic limiting, if the traffic limiting is configured for a certain protocol, it is applied only to that protocol. In practice, the traffic limiting should be configured for IP addresses.
Suggestions
If P2P traffic limiting is performed on the firewall, it takes effect only after the pattern file matches the version of the protocol that is limited. Therefore, the IP-CAR traffic limiting is adopted, which is applicable to limiting the number of connections or bandwidths.

END