[Nebula] What should I check besides raising session limit when I keep reaching the session limit?

Options
Zyxel_James
Zyxel_James Posts: 626  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer

Question:
I keep reaching the maximum session. In addition to raising the value of the session limit, what else should I check?

Answer:
By default, the session limit per host is 1000, and sometimes we may see event logs like "Maximum sessions per host(1000)". At this time, the PC host may encounter service outage because the sessions are dropped. To avoid this situation, we can raise the value of the session limit, or set it as 0 which means unlimited.

However, we better check the network traffic to identify the root cause of high session usage, it could be brute force attacks or Denial of Service attacks.
Investigate the active session to identify which IP addresses or services are consuming the most sessions, so that the user can determine which host or application service could be abnormal.

  1. Connect to the firewall using the console port or the SSH protocol.
  2. Input CLIs to check which source, destination, and service have the most sessions.
    show conn ip-traffic source
    show conn ip-traffic destination
    show conn service any

If a local host generates a great number of sessions, please check if it's running downloads of torrents, viruses (trojans), or rogue devices and malware. In this case, many active network session would be created on the computer.

If it's an external source, it could be DoS attacks (Denial of Service), and you can implement IPS to detect the attacks.

Moreover, this CLI "debug system show conntrack" shows the details of the complete active sessions, it can help you identify and mitigate the root cause of your firewall reaching the maximum session limit.