The interruption of the Communications on a Slave Firewall

Publication Date:  2013-08-26 Views:  137 Downloads:  0
Issue Description
Version: VRP (R) software, Version 3.30, RELEASE 0334(12)
Two Eudemon200s back up each other. Packets can be forwarded on the master firewall, while the slave firewall cannot ping the directly connected address of upstream and downstream devices and cannot login through telnet operation.
Alarm Information
N/A
Handling Process
1. Check the master and slave firewall. The dual-system hot backup state is normal.
2. Check the routing table and ARP entries of the slave firewall. They are normal.
3. Run the display firewall statistic system command to check the statistics of the session table of the master and slave firewalls. The information is as follows:
a. master firewall
HRP_M<HF-E200-A>display firewall statistic system
System statistic information:
         BootCon,          14942505896,     Total connection since last reboot
       PeakSpeed,                27149,              Peak session speed(num/s)
      CurHalfCon,             31877991,     Total current TCP Half connections
    TcpSessInMem,               133829,           Total TCP sessions in Memory
      TcpSession,                16069,      Total current active TCP sessions
      UdpSession,               119882,             Total current UDP sessions
     IcmpSession,                  777,            Total current ICMP sessions
The number of session entries is 136728, and it does not reach the upper limit.
b. slave firewall
HRP_S<HF-E200-B>display firewall statistic system
System statistic information:
         BootCon,               783859,     Total connection since last reboot
       PeakSpeed,                  448,              Peak session speed(num/s)
      CurHalfCon,                 5213,     Total current TCP Half connections
    TcpSessInMem,                    1,           Total TCP sessions in Memory
      TcpSession,                    0,      Total current active TCP sessions
      UdpSession,               200000,             Total current UDP sessions
     IcmpSession,                    0,            Total current ICMP sessions
The number of session entries of UDP is 200000 and reaches the upper limit
4. When the Eudemon200 adopts dual-system hot backup, the upper limit of the session table becomes 200000. The number of the statistics of the session table on the slave firewall reaches the upper limit, and then the slave firewall cannot create the new session. As a result, the communications of upstream and downstream devices is interrupted, the slave firewall cannot ping the upstream and downstream devices and log with telnet operation. This is because the new session needs to be created when ping and telnet operations are used.
5. Change the aging time of udp session of the device to 30s. The problem is solved.
Root Cause
1. The session entry on the slave Eudemon200 of 0334 may be deleted from the memory, and the statistics are not reduced. That is, the number of statistics is larger than that of living sessions. The statistics reach the upper limit through accumulation, and the new session entry cannot be created.
2. Some session entries cannot be aged because of the problem of the Euemon200 of 0334.
3. For the aging session entries with the same quintuple, the firewall does not multiplex them. Instead, the firewall creates new session entries. The resources of the session entries are insufficient.
Suggestions
1. For the firewall of 0351, when the session entries reach a certain number, the aged entries are processed fast.
2. Mitigation method: Upgrade the firewall to 0351 and change the aging time of udp session shorter: firewall session aging-time udp 30

END