USG60 firmware v4.39 session count increasing every day - bug?

WvandeHoef
WvandeHoef Posts: 22  Freshman Member
First Comment Fourth Anniversary
edited April 2021 in Security
Over the last week I had users complaining they could connect to the network, but not to the internet. Checking the USG log I saw a lot of Session Limit messages stating the session count was exceeded. Looking at the current session by IP I was not able to pinpoint this at a specific machine.

I had UDP Session time at 60 sec and sessions limit by host at 2000. 

To test I increased the sessions limit by host to 3000 and reduced the UDP Session timeout to 30s. After this the users could connect again, until yesterday when the same issue was back. I now set the session limit to 0 until I have found what is the issue.

When checking the conntrack on the console I do not see that many sessions.

No new machines have connected to our network over the last month. I have disconnected the machines with the maximum sessions in the sessions by host overview to see if the number of active sessions reduced, but this was not the case.

As there have not been huge changes I am now at the point to go back to firmware v4.38 to see if that solves my issue, as in v4.35 and v4.38 we did not have this issue.

Find below the graphs with increasing session count over time by firmware version.

Firmware v4.35



Firmware v4.38 loaded June 8th, 2020



Firmware v4.39 loaded August 30th, 2020








Current system info:



Current session overview


Current Conntrack attached

If there is a way to see why the session count is so high and what process/service/IP is causing this, please let me know and I will update this thread.

Regards,
Wouter

Comments

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @WvandeHoef,

    Is SSO enabled on this USG60?

    Could you give us the remote access of this USG60 to check the session usage in private message?

  • WvandeHoef
    WvandeHoef Posts: 22  Freshman Member
    First Comment Fourth Anniversary
    Hi Emily,

    No, SSO is not used. I will send you the details in a private message.
  • AdilsonBernert
    AdilsonBernert Posts: 4  Freshman Member
    First Comment Third Anniversary
    I have exactly  the same issue regarding this indicator ....

    any news about that ?
  • WvandeHoef
    WvandeHoef Posts: 22  Freshman Member
    First Comment Fourth Anniversary
    It is confrmed to be an v4.39 issue and once I switched back to v4.38 the session count is stable again.
  • IT_Field_Support
    IT_Field_Support Posts: 97  Ally Member
    First Comment Friend Collector Fifth Anniversary
    edited October 2020
    same problem on 4.39 with USG40w.




  • PeterUK
    PeterUK Posts: 3,399  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    The  4.39WK38 does not have this issue
    Weekly Firmware / Support Version / Lab Version — Zyxel
     
  • kelmi
    kelmi Posts: 29  Freshman Member
    First Comment Friend Collector Sixth Anniversary
    edited October 2020
    I have the same issue with USG40.
    Firmware, what I have is: 4.39(AALA.0) 2020-07-31 07:54:31.

     After 27 days of uptime, Session Usage- counter shows now more than 17 000 sessions.

    Pretty impressive amount for two laptops, two iPhones, iPad, two smartTVs and for a couple of WiFi enabled household devices.

     Monitor->System Status->Session Monitor shows:
    - 9 active devices
    - Some 50 sessions

     No torrents, etc P2P apps are used. Both IDP and Content Filter 2.0 licenses have been activated.
     
    When I use command "debug system show conntrack" it shows mostly DNS sessions.

     My 5 cents out of this:

     I have made a NAT setting for DNS queries coming from my lan1 to USG40.
     - Incoming Interface: lan1
    - Source IP: any
    - External IP: any
    - Internal IP: User Defined
    - User defined Internal IP: 10.0.1.1 (my USG40 address)
    - Port mapping type: port
    - Protocol type: any
    - External port: 53
    - Internal port: 53

    And I have DNS Domain Zone Forwarder to Public DNS Server 1.1.1.1

    Could it be that somehow the Session Usage- counter is not removing the redirected DNS sessions? Behavior was not the same with 4.38 and earlier firmware versions

     Kelmi
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @kelmi,
    You can follow the suggestion from @PeterUK to upgrade USG40 to 4.39WK38. 
    Weekly Firmware / Support Version / Lab Version

    If the session usage is still high after firmware upgrade, send the remote access of your USG40 to me in private for further analysis.
  • kelmi
    kelmi Posts: 29  Freshman Member
    First Comment Friend Collector Sixth Anniversary
    edited October 2020
    Hi @kelmi,
    You can follow the suggestion from @PeterUK to upgrade USG40 to 4.39WK38. 
    Weekly Firmware / Support Version / Lab Version

    If the session usage is still high after firmware upgrade, send the remote access of your USG40 to me in private for further analysis.
    Unfortunately, my company policy does not allow any other firmware installation, except an officially released one. 

    I believe I'm not the only one to have a kind of status update from Zyxel side, how do you see the issue and when to expect an official fix for the topic? In my case, the session counter is now in 22000 (for 10 machines or so) and increasing. Meaning in two months uptime, a reboot is needed, which is a topic of its own from company policy point of view.

    Kelmi

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @kelmi,
    The fix is also merged to the upcoming official release 4.60.
    It will be released in early November 2020.

Security Highlight