A site USG3000 firewall configured connection number limit function, aim at the DMZ area “server X.X.X.X” configures “firewall conn-class 1 100”, and applies the connection count limit strategy in the DMZ area. In the actual use, found in the case that the number of users is far less than 100, new user connection cannot be established.
1, check the current session table, corresponding server’s session only has 50 or so, the new launched connection cannot be established and would not be able to establish session table.
2, waiting for a period of time later, there are new users build connection gradually, but the total session number is still far less than 100.
3, Validated with the research and development, the reason is that at present when the low end firewall’s session aging, will not immediately be deleted from memory inside, but need to wait for the timer to polling. Waiting until polling to aging session, will delete it from memory inside, at the same time decrease the corresponding counter.
4, combine with the customers total subscribers and connection establishing frequency, ensure the session interval of the newly established session and aging session are the same, modify the “firewall conn - class 1” to 200, and then observe the session table’s article is 100 or so.
In the condition that the old session has aging, the corresponding session counter hasn’t corresponding cleared.
At present when the low end firewall’s session aging, will not immediately be deleted from memory inside, but need to wait for the timer to polling, this time is random.