Session limit causes loss of connectivity to web interface?

Hello,

We have 2 ATP500's in HA configuration.    This morning we had a widespread DNS outage on the client workstations.   The Local DNS servers on the network were functional, so I went to check ATP logs, but the login screen failed to load.   I did not think to try another connection method such as SSH or telnet.   

We turned off the active router which triggered a fail-over event, and then I was able to immediately log in to the other router.    The syslog was full of session limit errors for our secondary DNS server.   I set the session limit to 0 for that server to fix that problem.   Our primary DNS server already had an entry for session limit 0.

I turned the primary router back on, allowed time to finish the HA sync, and failed the router back over by pulling the WAN cable.    Now the router is serving up the log in page properly.

I think what triggered this was I rebooted all servers Friday night for updates, and the primary DNS server was down for quite some time.   I suppose the secondary was sending in a flood of requests this morning resulting in the session blocking.

But, why would active session blocking against one host cause the inability to connect to the management interface via IP?

Thank you,


All Replies

  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @mattb
    Are you asking why the host (which hits the session limit value) can not connect to the device management interface?
    If so, once the host hits the session limit, not only the traffic going outside but also traffic accessing to the device GUI will be limited.
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    You should check your host. In case the session limit will be reached, normally something is wrong at your host.
    Days ago we experienced slow network connections or the loss of network traffic for all of our 4 programmer's hosts while all other machines of the company, which reside in the same network segment, were still able to communicate. It turned out that the programmers has implemented a fault time server query into its software project where the time server was polled so often per minute that the session limit at USG has been exceeded for those 4 machines.
  • mattb
    mattb Posts: 5
    First Anniversary Friend Collector

    Hi Vic,    it would make sense that the blocked host couldn't connect, but the web interface would not load from two other workstations that we tried.

    Zyxel_Vic said:
    Hi @mattb
    Are you asking why the host (which hits the session limit value) can not connect to the device management interface?
    If so, once the host hits the session limit, not only the traffic going outside but also traffic accessing to the device GUI will be limited.


  • mattb
    mattb Posts: 5
    First Anniversary Friend Collector

    Thank you,

    Yes in this case the blocked host was a secondary domain controller.   I also had to remove the session limits for our primary DC several months ago.   They are both DNS servers, so when they come back online after being turned off I presume they want to update their local DNS cache and send a massive number of external requests.   Normally they stay under the session limits.   

    It's just odd that it only affected the web interface of one of the HA routers even though they are mirrored.  

    USG_User said:
    You should check your host. In case the session limit will be reached, normally something is wrong at your host.
    Days ago we experienced slow network connections or the loss of network traffic for all of our 4 programmer's hosts while all other machines of the company, which reside in the same network segment, were still able to communicate. It turned out that the programmers has implemented a fault time server query into its software project where the time server was polled so often per minute that the session limit at USG has been exceeded for those 4 machines.





  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @mattb
    When a host hits the session limit, the other hosts device GUI accessing should not be affected. So we think your symptom is not related to session limit but more likely other. Is this symptom still exist or it back to normal right now?
  • mattb
    mattb Posts: 5
    First Anniversary Friend Collector
    Hi Vic,

    It's been normal since we rebooted the router.   Thank you

Security Highlight