The customer deploys the USG2100 at the egress of the public network. The customer has a self-developed service, whose server is deployed on the public network. On the intranet, the client can be normally connected to the server, but it is interrupted every 10 minutes. This problem can be solved only after the client is restarted.
Either of the following methods can be adopted to rectify the previous fault:
1. Modify the aging time of the TCP session.
Run the firewall session aging-time tcp command. In this way, the aging time of all TCP sessions are prolonged. On the other hand, the prolonged aging time brings pressure to the number of concurrent connections of the USG. When the number of concurrent connections reaches the upper limit, subsequent new connections cannot be established.
2. Use long connections.
The procedure is as follows:
1. Set the aging time of long connections to 15 hours.
2. Set the specified ACL for long connections.
3. Apply long connections to interzones.
After you enter the system view, stick the following scripts:
firewall long-link aging-time 15
acl number 3100
rule 5 permit tcp destination X.X.X.X X.X.X.X
rule 10 permit tcp destination X.X.X.X X.X.X.X
rule 15 permit tcp destination X.X.X.X X.X.X.X
rule 20 permit tcp destination X.X.X.X X.X.X.X
rule 25 permit tcp destination X.X.X.X X.X.X.X
firewall interzone trust untrust
firewall long-link 3100 outbound
Run the display firewall session table command to query the session table on the USG. It is discovered that the customer service is based on TCP connections. The default aging time of the TCP session table is also 10 minutes. During the collection of client usage information, it is discovered that the client only sends data to the server every two hours.
Based on this, it is learnt that the client adopts TCP to connect to the server. In this case, a TCP session entry is generated on the USG. The aging time of the entry is 10 minutes. If no data is sent by the client for 10 minutes, the USG ages the TCP session. After that, the client sends data to the USG, but the USG cannot find the corresponding session. Therefore, the data packet is discarded. After the client is restarted and re-establishes a TCP connection with the server, the data can be sent normally.