A site USG3000 firewall configured the connections number restriction function, configured firewall conn-class configuration for the DMZ area server xxxx 1 100, and then applied the connection restriction policy in the DMZ area. Found in actual use, in the case of the number of user connections is far less than 100, the new user connection can not be established.
1. View the current session table, the related server session is only about 50 newly initiated connection can not be established, and can not establish a session table.
2. After waiting for some time, there are new user establishes connections in succession, but the total number of sessions is still far less than 100.
3. Confirmed with R & D, the cause of this problem is the low-end firewall in the session aging time, and not immediately removed from memory, and the need to wait for the timer to poll.
Wait until the time of polling to the aging session, will delete it from the memory, while reduce the related count.
4. Combined with the total number of users and the frequency of the established connections, ensure the newly established session and the aging session interval is basically the same, modify the firewall conn-class 1 to 200, and then observe the session table, it is about 100
In the case of the old session has aging, the related session counter will not be cleared.
Low-end firewall session aging time, and not immediately removed from memory, and the need to wait for the timer to poll, and this time is random