No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

USG series firewall has not reached the connections number restriction, the connection can not be established

Publication Date:  2012-12-14 Views:  96 Downloads:  0
Issue Description
A site USG3000 firewall configured the connections number restriction function, configured firewall conn-class configuration for the DMZ area server xxxx 1 100, and then applied the connection restriction policy in the DMZ area. Found in actual use, in the case of the number of user connections is far less than 100, the new user connection can not be established.
Alarm Information
None
Handling Process
1. View the current session table, the related server session is only about 50 newly initiated connection can not be established, and can not establish a session table.
2. After waiting for some time, there are new user establishes connections in succession, but the total number of sessions is still far less than 100.
3. Confirmed with R & D, the cause of this problem is the low-end firewall in the session aging time, and not immediately removed from memory, and the need to wait for the timer to poll.
Wait until the time of polling to the aging session, will delete it from the memory, while reduce the related count.
4. Combined with the total number of users and the frequency of the established connections, ensure the newly established session and the aging session interval is basically the same, modify the firewall conn-class 1 to 200, and then observe the session table, it is about 100
Root Cause
In the case of the old session has aging, the related session counter will not be cleared.
Suggestions
Low-end firewall session aging time, and not immediately removed from memory, and the need to wait for the timer to poll, and this time is random

END