2 Replies Latest reply on Mar 9, 2017 12:57 PM by jasonkeane

    NetVanta 1550-48P - "Too many sessions allocated"

    jasonkeane New Member

      NetVanta 1550-48P running NV1550A-R11-10-7 firmware. Every time I log into the web management input the username and password and the next page displays while page "Too many sessions allocated " and I need to telnet in and reboot the switch. Anyone else have this issue before?

        • Re: NetVanta 1550-48P - "Too many sessions allocated"
          jayh Hall_of_Fame

          The Adtran device only allows a limited number of web sessions at one time. Two possibilities:

           

          One is that your web server is open to the Internet and random attackers are connecting and attempting to brute-force guess passwords. You can lock this down as follows:

           

          1. Create an access list including just your trusted management networks.

           

          ip access-list standard admin-access-list

            permit [network] [inverse mask]

            permit [network] [inverse mask]

            ...

           

          2. Apply this access list to router administration.

           

          http ip access-class admin-access-list in

          http ip secure-access-class admin-access-list in

           

          line telnet 0 4

            ip access-class admin-access-list in

           

          line ssh 0 4

            ip access-class admin-access-list in

           

          3. If you have SNMP enabled on the device, lock it down similarly.

           

          The other is that you have many legitimate web sessions open and the web server is blocking further new connections. This can be controlled as follows:

           

          There's a command to limit the number of active sessions from none to 100. The default is 100 so unless someone has changed it this isn't likely the problem. Syntax is as follows:

           

          http session-limit [0 to 100]

           

           

          Also, set a timeout so that abandoned sessions close within a reasonable time. Syntax, with the number specifying seconds:

           

           

          http session-timeout  [10 to 86400]

           

          The default is 600 seconds, or ten minutes with no activity, which should usually be OK.

           

           

          My best guess is that the web interface is open to the world and someone or several someones are trying to guess passwords.