No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

To solve the problem that USG5500 limit connection number unsuccessful

Publication Date:  2012-11-15 Views:  33 Downloads:  0
Issue Description
A customer uses USG5500 V200R001 firewall configure IP-conn connection number to limit the TCP and UDP connection number which from the external network accesses internal network; After the configuration check server’s IP address, found that session is beyond many and does not accord with the limiting requirements, limiting access is not successful.
Alarm Information
None.
Handling Process
The former configuration of the customer:
firewall conn-class 3 140
firewall zone trust
statistic enable ip inzone
statistic enable ip outzone
statistic connect-number ip tcp inbound 3 acl-number 2550
statistic connect-number ip udp inbound 3 acl-number 2550

Check whether has configured ACL 2550

HRP_M[SHS-FW-1]dis acl 2550
10:04:53  2011/10/29
Advanced ACL 2550, 1 rule,not binding with vpn-instance
for_ip_conn
Acl's step is 5
rule 5 permit source 192.255.255.101 0 (162320 times matched)
But through checking found the session number is 298, more than the limit number 140
HRP_M[SHS-FW-1]dis firewall session table destination inside 192.255.255.101
10:05:50  2011/10/29
Current Total Sessions : 298
TcpVPN:public-->public210.58.101.226:57254-->211.144.105.176:33433[192.255.255.101:33433]  tcpVPN:public-->public210.58.101.226:65472-->211.144.105.176:33433[192.255.255.101:33433]
  tcpVPN:public-->public194.135.103.239:52228-->211.144.105.176:33433[192.255.255.101:33433]
  tcpVPN:public-->public82.130.195.242:33855-->211.144.105.176:33433[192.255.255.101:33433]

In the present 267articles session, there are 132 articles session which is created by the original acl 2500, the session will not immediately be disconnected, only after such as session all be broken the connection number is exact.
The revised connection number, in fact the effective number is the session number which is not “aging” after the ACL3551. ACL2500 changed the configuration.
disp firewall statistic ip-conn 192.255.255.101
Current total IP node: 28                                                                                                         
IP Address      Src conn(TCP/UDP/NAT) Dst Conn(TCP/UDP/NAT) VPN-INSTANCE                                                          
---------------------------------------------------------------------                                                    
Src:0 Src Nat:0 Dst:2500                                                                                                          
192.255.255.101 0    /0    /0         132  /0    /0         public                                                       
Src:0 Src Nat:0 Dst:3551                                                                                     
192.255.255.101 0    /0    /0   135  /0    /0         public                                                                
Src:3550 Src Nat:0 Dst:0                                                                                                          
192.255.255.101 32   /0    /0   0    /0    /0      public                                              
According to the aging ACL2500 session, execute “reset firewall session” to empty the old session, refresh session table, the connection number is normal, problem is solved.
Root Cause
The customer has ever configured connection policy before, then he modified the policy after the configuration, which caused the revised strategy session isn’t immediately cut off, lead to the same address connection number repeated.
Suggestions
None.

END