Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Young_Wook_Choi
Contributor

R80.40 (Take 89) Gateway Session Count Issue

Hi,

I recently upgraded the gateway.
(R80.10 to R80.40 with HFA 89)

The management server of this gateway is version R80.20.
(The R80.20 management server can manage the R80.40 gateway.)

There are issues after upgrade.

1. The count of sessions has been increased.
In almost the same traffic environment, the number of counts has increased compared to the previous version (R80.10).

If I type the command "cpstat -f policy fw | grep conn" 10 times at 1 second intervals it keeps the same count. (This should be changed in real time.) But if I type CPview or "fw tab -t connections -s" command, it changes in real time.

Global setting of Session Timeout is the same as before. (R80.10)

Are there any changes to the mechanism for counting sessions in R80.40?

2. The fw_full process is too busy.

The gateway model is the CPAP 23800 model.
1) 1.5 ~ 2 Gbps
2) 2,500 ~ 3,000 CPS
3) 200,000 ~ 250,000 PPS
4) 250,000 ~ 300,000 Sessions

The fw_full process shows 100% usage every 10-20 seconds.
This gateway uses IPS and FW blades.

0 Kudos
4 Replies
G_W_Albrecht
Legend
Legend

Apart from the different counts, what is the current issue - is the total load on GW higher now as before ? Is traffic dropped ?

0 Kudos
Young_Wook_Choi
Contributor

There is nothing other than the issue of storing a lot of session tables.
There is no problem with the service.

0 Kudos
Young_Wook_Choi
Contributor

I have found the cause of this issue.

In R80.10 version, "Timeout setting" is properly applied and working.
(Global Properties "Stateful Inspection" setting)

However, in R80.40 this setting does not work properly.
Therefore, the gateway has many session tables.

HFA 91 (Ongoing) reported that the following issues were resolved.

1.jpg

2.jpg

3.jpg

4.jpg

5.jpg

6.jpg

Below is the setting in R80.40 and the session table timeout. 

11.jpg

12.jpg

13.jpg

14.jpg

15.jpg

Young_Wook_Choi
Contributor

I installed the R80.40 HFA Take91.
However, the timeout setting value of the "Stateful Inspection" setting is not applied.

The timeout of BOTH_FIN is different for each session, not 3600.
SRC_FIN or DST_FIN is the same symptom.

They are not all the same as in versions prior to R80.10.
(It is not the same as the setting value of "Stateful Inspection".)

I did see  sk110672 that when SecureXL works, it adds 5 seconds.

Is there any change in the session timeout mechanism of the connection table in R80.40?

21.jpg

22.jpg

0 Kudos