No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


E1000E Firewall business interrupted due to session table is full

Publication Date:  2015-12-31 Views:  198 Downloads:  0
Issue Description

As shown below, OSS network mainly under the hanging Radius, the region's DNS server, under the hanging server business scope includes all Internet users Radius authentication, the region's public network services DNS resolution services.

Alarm Information

E1000E services interruption appeared three times within a month, after the self-healing, March 27 Interrupt Time 11:00 to 11:25 minutes, during a failure NE80E to E1000E unreasonable.

Handling Process

Log Firewall view, the firewall does not appear abnormal, without exception log, the existing network equipment for the Eudemon 1000E-U5, session specifications for the 2 million, but the device's session remained at around 1.5 million, at the peak of the business is likely to exceed the session exists specifications, you cannot create a session and packet loss, packet loss information in the firewall, and indeed there is a session creation failed packet loss statistics:

SessFailDisPkts,       13825253,      Session fail discard packets

SessFailDisOcts,       980837741,     Session fail discard bytes(Bytes)

Sessions on the firewall while more than 90% of all DNS sessions, as follows:

HRP_M[LS-CGQ-XJ-OSS-1.MAN.E1000E-hidecmd]d f s t

17:13:42  2013/03/27

Current total sessions : 1596443

 DNS  VPN: public -> public 20x.9y.224.68:53<--22x.1y.8.137:3244

 DNS  VPN: public -> public 20x.9y.224.69:53<--22x.1y.4.16:52079

DNS  VPN: public -> public 20x.9y.224.70:53<--12x.3y.128.176:21272

 DNS  VPN: public -> public 20x.9y.224.68:53<--22x.1y.3.172:6417

 DNS  VPN: public -> public 20x.9y.224.68:53<--21x.15y.41.236:9145

 DNS  VPN: public -> public 20x.9y.224.70:53<--12x.3y.88.124:59395

 DNS  VPN: public -> public 20x.9y.224.68:26620-->12x.19y.255.147:53

 DNS  VPN: public -> public 20x.9y.224.69:53<--21x.15y.51.62:47660

 DNS  VPN: public -> public 20x.9y.224.68:53<--12x.3y.136.133:4260

 DNS  VPN: public -> public 20x.9y.224.68:53<--12x.3y.238.15:49966

 DNS  VPN: public -> public 20x.9y.224.70:53<--12x.3y.101.155:54227

 DNS  VPN: public -> public 20x.9y.224.68:53<--22x.1y.25.33:1537

 DNS  VPN: public -> public 20x.9y.224.70:53<--12x.3y.106.246:13651 

 DNS  VPN: public -> public 20x.9y.224.70:53<--12x.3y.100.11:50814 

 DNS  VPN: public -> public 20x.9y.224.69:53<--12x.3y.35.211:58890

 DNS  VPN: public -> public 20x.9y.224.69:53<--12x.3y.21.24:19784

 And the session aging time is 240 seconds, but generally only one packet switching, follow no traffic, so that takes up a lot of resources in the session, as follows:

DNS  VPN: public -> public 

 Zone: untrust -> aidns  Tag: 0x2588  State: 0x58

 TTL: 00:04:00  Left: 00:03:14  Id: 2cd3b920  SlvId: 1f939f10

 Interface: G0/0/1.11  Nexthop: 20x.9y.224.68  MAC: 34-40-b5-a1-58-e0

 <-- packets:1 bytes:62   --> packets:1 bytes:234



 DNS  VPN: public -> public 

 Zone: untrust -> aidns  Tag: 0x2588  State: 0x58

 TTL: 00:04:00  Left: 00:00:35  Id: 198da4b0  SlvId: 13d814c8

 Interface: G0/0/1.11  Nexthop: 20x.9y.224.69  MAC: 34-40-b5-a1-5a-c8 

 <-- packets:1 bytes:66   --> packets:1 bytes:190



Root Cause

At its peak, the number of sessions over the firewall firewall sessions specifications, resulting in part of the business cannot create a session, packet forwarding failure, resulting in some business sense.




Since the current network, more than 90% of the business for the DNS service, and subsequent packets with an interactive session little, almost no subsequent packets exchanged, therefore, recommended that the DNS session aging time to 30 seconds, to speed up DNS session aging, aging time to modify the DNS session command:

firewall session aging-time dns 30.