5 Replies Latest reply on Feb 20, 2013 1:36 PM by noor

    Firewall: Maximumber of associations reached

    cburgamy New Member

      Just reviewed events and I am seeing quite a few of these:

      2012.03.02 10:00:12 FIREWALL id=firewall time="2012-03-02 10:00:12" fw=fsnb-mpls-access pri=5 proto=8080/tcp src=      dst=    msg="Maximum number of associations reached on ghost policy-class, dropping packet Src 1783 Dst 8080 from ghost policy-class" agent=AdFirewall

       

      And we are losing connections

       

      Policy-class "ghost":

        32573 current sessions (33300 max)

        Discards/Allows/NAT: 1019384/524143322/0

        Entry 1 - allow list MATCHALL stateless

          1142130940 initiator bytes, 1762128917 responder bytes, 524143322 hits

       

       

      How do I fix this without havbing to reboot router or kicking everyone off by removing the poilcy or will removing policy allow everyone to staty connected.

        • Re: Firewall: Maximumber of associations reached
          levi Employee

          Thank you for asking this question.

           

          Depending on the ADTRAN product and firmware version, you can increase the maximum number of sessions with the command ip policy-class <ipv4 acp name> max-sessions <number>.  The value must be within the appropriate range limits. The limits depend on the type of AOS device being used. Setting this value to 0 restores the default setting.

           

          Use the policy-class max-sessions <number> command to specify the maximum number of allowed policy sessions in the AOS product for both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) combined. This command sets the maximum session limit for ALL access control policies (ACPs) on the AOS unit.  When setting the max-sessions for all IPv4 ACPs, this default is determined at boot time based on the amount of memory available. For a named IPv4 ACP, this default is one-third of the total number of allowed ACP sessions.

           

          By default, the maximum IPv4 and IPv6 ACP sessions allowed are based on the amount of RAM in the AOS unit. The following table outlines the default values based on RAM:

           

          RAM AmountDefault Max Sessions

          64 MB

          10000
          128 MB30000
          256 MB80000
          512 MB200000
          768 MB300000
          1 GB450000

           

          I hope that makes sense, but please do not hesitate to reply to this post with additional questions.  I will be happy to help in any way I can.

           

          Levi

            • Re: Firewall: Maximumber of associations reached
              cburgamy New Member

              With our current setup at 256MB, and the policy maxed out at 33300, can this cause connectivity issues? Can we increase the memory to allow more sessions?

                • Re: Firewall: Maximumber of associations reached
                  levi Employee

                  Yes, if you are reaching the maximum number of associations, it can cause connectivity issues.  If your ADTRAN unit has 256 MB of RAM, then you can increase the max-sessions with the command listed previously (ip policy-class <ipv4 acp name> max-sessions <number>) to up to 80,000, as outlined in the table above.  However, if after increasing the max-sessions, you are still reaching the maximum number of associations, then you may want to investigate your internal network for malicious hosts.

                   

                  Levi

                    • Re: Firewall: Maximumber of associations reached
                      levi Employee

                      I marked this question as "assumed answered," but please do not hesitate to reply to this post with additional questions on this topic.  I will be happy to help in any way I can.

                       

                      Levi

                        • Re: Firewall: Maximumber of associations reached
                          Employee

                          I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                           

                          Thanks,

                          Noor