SRX Services Gateway
Reply
Visitor
gnarvaez
Posts: 6
Registered: ‎11-14-2011
0

Limit concurrent sessions

Hi,

 

I'm trying to limit the UDP sessions because it has reach the limit of sessions. I'm trying with this:

 

#show security screen ids-option limitacion
limit-session {
source-ip-based 30;
}

# show security zones security-zone pool_190
screen limitacion;
host-inbound-traffic {
system-services {
ssh;
}
}
interfaces {
ge-2/0/3.0;
}

 

and also try this ids-option:

 

# show security screen ids-option umbral_udp
udp {
flood threshold 500;
}

 

but nothing append.

 

what can I do!?

 

Thanks.

 

Contributor
Ahriakin
Posts: 30
Registered: ‎05-29-2011
0

Re: Limit concurrent sessions

Are you sure the limits actually match your root issue? Basically are you dealing with just a few high conn count users (in which case this limit can be quite effective, if set low enough) or just the result of an across the board increase in usage (in which case it won't)? When you view the screen stats are you seeing many/any hits? If not set the screen to 'alarm-without-drop' and start decreasing the thresholds aggressively, check your screen options and syslogs for hits. Investigate the hits you do have (the syslog will include the source IP) and see if it really is legitimate and therefor your limit should be raised, or just someone using P2P in which case hard luck....When you hit a good balancing point remove the'alarm-without-drop' option.

 

Also have you tried lowering the connection timeouts, you may be dealing with a lot of short lived connections that you can reap more aggressively (you can do this on an application basis if you have concerns about any particular traffic).

Visitor
gnarvaez
Posts: 6
Registered: ‎11-14-2011
0

Re: Limit concurrent sessions

Are you sure the limits actually match your root issue?Basically are you dealing with just a few high conn count users (in which case this limit can be quite effective, if set low enough) or just the result of an across the board increase in usage (in which case it won't)?

We have 7000 users in a HFC network using our SRX650 and that amount is just the third part of the total users.


When you view the screen stats are you seeing many/any hits?

# run show security flow session summary
Unicast-sessions: 508515
Multicast-sessions: 0
Failed-sessions: 419821779
Sessions-in-use: 523964
  Valid sessions: 508517
  Pending sessions: 1
  Invalidated sessions: 15446
  Sessions in other states: 0
Maximum-sessions: 524288

If not set the screen to 'alarm-without-drop' and start decreasing the thresholds aggressively, check your screen options and syslogs for hits. Investigate the hits you do have (the syslog will include the source IP) and see if it really is legitimate and therefor your limit should be raised, or just someone using P2P in which case hard luck....When you hit a good balancing point remove the'alarm-without-drop' option.

 

Also have you tried lowering the connection timeouts, you may be dealing with a lot of short lived connections that you can reap more aggressively (you can do this on an application basis if you have concerns about any particular traffic).

I don't concerns about any particular traffic.

 

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.