No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

USG3000 series firewall can’t establish connection if the connecting number did not reach limiting number

Publication Date:  2012-10-17 Views:  52 Downloads:  0
Issue Description
A site USG3000 firewall configured connection number limit function, aim at the DMZ area “server X.X.X.X” configures “firewall conn-class 1 100”, and applies the connection count limit strategy in the DMZ area. In the actual use, found in the case that the number of users is far less than 100, new user connection cannot be established.
Alarm Information
None.
Handling Process
1, check the current session table, corresponding server’s session only has 50 or so, the new launched connection cannot be established and would not be able to establish session table.
2, waiting for a period of time later, there are new users build connection gradually, but the total session number is still far less than 100.
3, Validated with the research and development, the reason is that at present when the low end firewall’s session aging, will not immediately be deleted from memory inside, but need to wait for the timer to polling. Waiting until polling to aging session, will delete it from memory inside, at the same time decrease the corresponding counter.
4, combine with the customers total subscribers and connection establishing frequency, ensure the session interval of the newly established session and aging session are the same, modify the “firewall conn - class 1” to 200, and then observe the session table’s article is 100 or so.
Root Cause
In the condition that the old session has aging, the corresponding session counter hasn’t corresponding cleared.
Suggestions
At present when the low end firewall’s session aging, will not immediately be deleted from memory inside, but need to wait for the timer to polling, this time is random.

END