Radius and dns server server interrupted due to session table is full

Publication Date:  2013-08-30 Views:  223 Downloads:  0
Issue Description
As shown below, OSS network mainly under the hanging Radius, the region's DNS server, under the hanging server business scope includes all Internet users Radius authentication, the region's public network services DNS resolution services.


E1000E services interruption appeared three times within a month, after the self-healing, March 27 Interrupt Time 11:00 to 11:25 minutes, during a failure NE80E to E1000E unreasonable.
Alarm Information
None.
Handling Process
Since more than 90% of the business is the DNS service, and subsequent packets with an interactive session little, almost no subsequent packets exchanged, therefore, recommended that the DNS session aging time to 30 seconds, to speed up DNS session aging, aging time to modify the DNS session command:
firewall session aging-time dns 30.
Root Cause
Log Firewall view, the firewall does not appear abnormal, without exception log, the existing network equipment for the Eudemon 1000E-U5, session specifications for the 2 million, but the device's session remained at around 1.5 million, at the peak of the business is likely to exceed the session exists specifications, you cannot create a session and packet loss, packet loss information in the firewall, and indeed there is a session creation failed packet loss statistics:


SessFailDisPkts,       13825253,      Session fail discard packets
SessFailDisOcts,       980837741,     Session fail discard bytes(Bytes)


Sessions on the firewall while more than 90% of all DNS sessions, as follows:
HRP_M[LS-CGQ-XJ-OSS-1.MAN.E1000E-hidecmd]d f s t
17:13:42  2013/03/27
Current total sessions : 1596443
DNS  VPN: public -> public 20x.9y.224.68:53<--22x.1y.8.137:3244
DNS  VPN: public -> public 20x.9y.224.69:53<--22x.1y.4.16:52079
DNS  VPN: public -> public 20x.9y.224.70:53<--12x.3y.128.176:21272
DNS  VPN: public -> public 20x.9y.224.68:53<--22x.1y.3.172:6417
DNS  VPN: public -> public 20x.9y.224.68:53<--21x.15y.41.236:9145
DNS  VPN: public -> public 20x.9y.224.70:53<--12x.3y.88.124:59395
DNS  VPN: public -> public 20x.9y.224.68:26620-->12x.19y.255.147:53
DNS  VPN: public -> public 20x.9y.224.69:53<--21x.15y.51.62:47660
DNS  VPN: public -> public 20x.9y.224.68:53<--12x.3y.136.133:4260
DNS  VPN: public -> public 20x.9y.224.68:53<--12x.3y.238.15:49966
DNS  VPN: public -> public 20x.9y.224.70:53<--12x.3y.101.155:54227
DNS  VPN: public -> public 20x.9y.224.68:53<--22x.1y.25.33:1537
DNS  VPN: public -> public 20x.9y.224.70:53<--12x.3y.106.246:13651
DNS  VPN: public -> public 20x.9y.224.70:53<--12x.3y.100.11:50814 
DNS  VPN: public -> public 20x.9y.224.69:53<--12x.3y.35.211:58890
DNS  VPN: public -> public 20x.9y.224.69:53<--12x.3y.21.24:19784

And the session aging time is 240 seconds, but generally only one packet switching, follow no traffic, so that takes up a lot of resources in the session, as follows:
DNS  VPN: public -> public 
Zone: untrust -> aidns  Tag: 0x2588  State: 0x58
TTL: 00:04:00  Left: 00:03:14  Id: 2cd3b920  SlvId: 1f939f10
Interface: G0/0/1.11  Nexthop: 20x.9y.224.68  MAC: 34-40-b5-a1-58-e0
<-- packets:1 bytes:62   --> packets:1 bytes:234
20x.9y.224.68:53<--22x.1y.25.160:58167

DNS  VPN: public -> public 
Zone: untrust -> aidns  Tag: 0x2588  State: 0x58
TTL: 00:04:00  Left: 00:00:35  Id: 198da4b0  SlvId: 13d814c8
Interface: G0/0/1.11  Nexthop: 20x.9y.224.69  MAC: 34-40-b5-a1-5a-c8 
<-- packets:1 bytes:66   --> packets:1 bytes:190
20x.9y.224.69:53<--22x.1y.27.146:62414


At its peak, the number of sessions over the firewall firewall sessions specifications, resulting in part of the business cannot create a session, packet forwarding failure, resulting in some business interruption.
Suggestions
None.

END