8 Replies Latest reply on Dec 2, 2014 11:38 AM by jgoldberg

    Netvanta 1224R

    tommyrogers New Member

      After several years in service I have recently had a 1224R start acting up and I am getting this in the event logs.

      "Maximum number of global associations reached, dropping packet from Public policy-class"

       

      I don't think there is any virus activity and I have read the post about increasing the  "IP POLICY-CLASS MAX-SESSIONS". I set it to the maximum and I am still getting these errors..  Can someone explain what causes the error?

       

      Thanks

      Tommy

        • Re: Netvanta 1224R
          jayh Hall_of_Fame

          It's possibly some virus but perhaps not on your network.  The box keeps track of state when a flow traverses the firewall.  Normally this is short-duration event.  You send an email or visit a web page, the other side accepts the connection, data is passed, and the connection closes.  An open SSH or telnet session will hold an association for the duration of the session.

           

          If a connection is started but doesn't complete, then a timer starts running.  The association is reserved for the duration of the timer.  Virus activity or port scans can cause multiple half-open sessions which will hold these sessions until the timer runs out.

           

          show ip policy-sessions would be a good place to start.  Look for numerous incomplete sessions of port ranges or IP ranges in sequence, this may point you to the culprit. 

            • Re: Netvanta 1224R
              tommyrogers New Member

              Below is the output of "show ip policy-sessions", as you can see there are not that many sessions open.

               

              show ip policy-sess

               

              Protocol (TTL) [in crypto map] -> [out crypto map] Destination policy-class

                Src IP Address  Src Port Dest IP Address Dst Port NAT IP Address    NAT Port

                --------------- -------- --------------- -------- ----------------- --------

               

              Policy class "Private":

              tcp (565) -> Public

                192.168.20.7    58086    162.220.220.77  5938     s 70.46.202.2     57291

              tcp (565) -> Public

                192.168.20.61   58274    108.59.5.74     5938     s 70.46.202.2     16473

              tcp (565) -> Public

                192.168.20.147  59811    74.125.21.101   443      s 70.46.202.2     30606

              tcp (593) -> Public

                192.168.20.147  59665    74.125.21.113   443      s 70.46.202.2     30535

              tcp (593) -> Public

                192.168.20.147  59813    74.125.21.113   443      s 70.46.202.2     30607

              tcp (551) -> Public

                192.168.20.147  63863    108.160.163.102 80       s 70.46.202.2     8787

              tcp (4) -> Public

                192.168.20.147  59808    173.194.37.54   443      s 70.46.202.2     30602

              tcp (4) -> Public

                192.168.20.147  59809    173.194.37.54   443      s 70.46.202.2     30603

              tcp (565) -> Public

                192.168.20.154  45158    15.201.145.51   5223     s 70.46.202.2     25453

               

              Policy class "Public":

              tcp (600) -> self

                74.113.156.28   42874    70.46.202.2     2300

              icmp (46) -> self

                74.113.235.21   4457     70.46.202.2     4457

               

              Policy class "self":

               

              Policy class "default":

                • Re: Netvanta 1224R
                  jayh Hall_of_Fame

                  This looks pretty lightweight for policy sessions, certainly not of concern.  You'll probably need to capture it when the issue occurs. 

                    • Re: Netvanta 1224R
                      jgoldberg New Member

                      Jay,

                       

                      I'm curious if you or anyone else knows of a scriptable telnet/ssh client that can run these commands. As long as I can pass command lines to it or read from a script, I'm good. It doesn't need the more advanced programmable scripting conditions of Vandyke SecureCRT, just basic: send this command, wait five seconds, send the next command, etc....

                       

                      Edit: I see that putty supports this.

                • Re: Netvanta 1224R
                  tommyrogers New Member

                  I rebooted the 1224R and the issue disappeared. I also made sure all of the computers were clear of any malware etc.. So far the issue has not returned and it has been over 24 hours. If it occurs again I will post an update.

                  I also ran a packet capture and did not see anything that caught my eye.

                    • Re: Netvanta 1224R
                      Employee

                      tommyrogers -

                      I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                       

                      Thanks,

                      Noor