topic Re: R80.40 (Take 89) Gateway Session Count Issue in Firewall and Security Management

R80.40 (Take 89) Gateway Session Count Issue

Young_Wook_Choi — Tue, 29 Dec 2020 02:24:49 GMT

Hi,

I recently upgraded the gateway.
(R80.10 to R80.40 with HFA 89)

The management server of this gateway is version R80.20.
(The R80.20 management server can manage the R80.40 gateway.)

There are issues after upgrade.

1. The count of sessions has been increased.
In almost the same traffic environment, the number of counts has increased compared to the previous version (R80.10).

If I type the command "cpstat -f policy fw | grep conn" 10 times at 1 second intervals it keeps the same count. (This should be changed in real time.) But if I type CPview or "fw tab -t connections -s" command, it changes in real time.

Global setting of Session Timeout is the same as before. (R80.10)

Are there any changes to the mechanism for counting sessions in R80.40?

2. The fw_full process is too busy.

The gateway model is the CPAP 23800 model.
1) 1.5 ~ 2 Gbps
2) 2,500 ~ 3,000 CPS
3) 200,000 ~ 250,000 PPS
4) 250,000 ~ 300,000 Sessions

The fw_full process shows 100% usage every 10-20 seconds.
This gateway uses IPS and FW blades.

Re: R80.40 (Take 89) Gateway Session Count Issue

G_W_Albrecht — Tue, 29 Dec 2020 09:23:26 GMT

Apart from the different counts, what is the current issue - is the total load on GW higher now as before ? Is traffic dropped ?

Re: R80.40 (Take 89) Gateway Session Count Issue

Young_Wook_Choi — Tue, 29 Dec 2020 09:35:09 GMT

I have found the cause of this issue.

In R80.10 version, "Timeout setting" is properly applied and working.
(Global Properties "Stateful Inspection" setting)

However, in R80.40 this setting does not work properly.
Therefore, the gateway has many session tables.

HFA 91 (Ongoing) reported that the following issues were resolved.

Below is the setting in R80.40 and the session table timeout.

Re: R80.40 (Take 89) Gateway Session Count Issue

Young_Wook_Choi — Tue, 29 Dec 2020 10:29:49 GMT

There is nothing other than the issue of storing a lot of session tables.
There is no problem with the service.

Re: R80.40 (Take 89) Gateway Session Count Issue

Young_Wook_Choi — Wed, 30 Dec 2020 01:32:42 GMT

I installed the R80.40 HFA Take91.
However, the timeout setting value of the "Stateful Inspection" setting is not applied.

The timeout of BOTH_FIN is different for each session, not 3600.
SRC_FIN or DST_FIN is the same symptom.

They are not all the same as in versions prior to R80.10.
(It is not the same as the setting value of "Stateful Inspection".)

I did see sk110672 that when SecureXL works, it adds 5 seconds.

Is there any change in the session timeout mechanism of the connection table in R80.40?