No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Equipment ceaselessly prompts the warning information that the session number reached 90%

Publication Date:  2012-11-09 Views:  31 Downloads:  0
Issue Description
Equipment ceaselessly prompts the warning information that the session number reached 90%, As follows:
2012-03-12 14:46:53 USG5320 %%01SYSTEM/4/SESSION(l): The session usage exceeds threshold 90%, the current session usage is 99%, and the maximum number of sessions is 819200.
2012-03-12 14:46:58 USG5320 %%01SYSTEM/4/SESSION(l): The session usage exceeds threshold 90%, the current session usage is 99%, and the maximum number of sessions is 819200.
2012-03-12 14:47:03 USG5320 %%01SYSTEM/4/SESSION(l): The session usage exceeds threshold 90%, the current session usage is 99%, and the maximum number of sessions is 819200.
2012-03-12 14:47:08 USG5320 %%01SYSTEM/4/SESSION(l): The session usage exceeds threshold 90%, the current session usage is 99%, and the maximum number of sessions is 819200.
Alarm Information
None.
Handling Process
Configure policy in the domain from the internal network to the external network, open the attack prevention of TCP, as follows:
#
firewall defend tcp-flag enable
firewall defend syn-flood enable
firewall defend source-syn-flood zone trust
firewall defend source-syn-flood zone untrust1
#
#
policy interzone trust untrust1 outbound
policy 0
action permit
policy source 192.168.0.0 0.0.0.255

policy 2
action deny
#
Check the current session, session number immediately dropped down:
dis firewall session table
16:04:49  2012/03/12
Current Total Sessions : 156
  DNS  VPN: public -> public 192.168.0.25:50898-->202.99.166.4:53
  DNS  VPN: public -> public 192.168.0.25:45430-->202.99.166.4:53
  DNS  VPN: public -> public 192.168.0.23:41833-->222.222.222.222:53
  DNS  VPN: public -> public 192.168.0.26:41458-->222.222.222.222:53
  DNS  VPN: public -> public 192.168.0.24:32969-->202.99.166.4:53
  DNS  VPN: public -> public 192.168.0.26:35860-->222.222.222.222:53
  HTTP  VPN: public -> public
  60.6.223.161:80[192.168.0.24:80]<--123.245.124.44:2405
  DNS  VPN: public -> public 192.168.0.24:39139-->202.99.166.4:53
  DNS  VPN: public -> public 192.168.0.26:49256-->222.222.222.222:53
  DNS  VPN: public -> public 192.168.0.27:39191-->222.222.222.222:53
  DNS  VPN: public -> public 192.168.0.21:41427-->222.222.222.222:53
Root Cause
Check the current session number is over 760000:
[USG5320]dis firewall session table
14:47:37  2012/03/12
Current Total Sessions : 767315
  tcp  VPN: public -> public 9.138.14.41:1024-->91.215.254.221:0
  tcp  VPN: public -> public 234.228.248.38:3072-->91.215.254.221:0
  tcp  VPN: public -> public 138.249.159.37:1024-->91.215.254.221:0
  tcp  VPN: public -> public 112.147.137.54:1024-->91.215.254.221:0
  tcp  VPN: public -> public 112.146.62.62:3072-->91.215.254.221:0
  tcp  VPN: public -> public 182.162.54.112:3072-->91.215.254.221:0
  tcp  VPN: public -> public 16.158.160.69:3072-->91.215.254.221:0
  tcp  VPN: public -> public 234.45.181.28:1024-->91.215.254.221:0
  tcp  VPN: public -> public 145.102.26.4:3072-->91.215.254.221:0
  tcp  VPN: public -> public 158.100.136.7:1024-->91.215.254.221:0
  tcp  VPN: public -> public 160.16.35.114:3072-->91.215.254.221:0
  tcp  VPN: public -> public 75.118.194.7:1024-->91.215.254.221:0
  tcp  VPN: public -> public 64.55.4.58:3072-->91.215.254.221:0
All the above conversation is not the local public website, and after broke the external network cable of telecom, the session disappeared, as long as connected the telecommunication line, session number immediately rose to over 700 thousands, doubt there is computer virus or attack in the internal network, and it has the address camouflage.
Suggestions
This process can only moderate guard, can't radically solve it, and can only take corresponding prevention measures.

END