[j-nsp] Session utilization is 90% of the system capacity

[Stefan Fouant]

Hi Vincent,

Basically the message you are seeing in the log file is indicating that your
device's session table is almost full.  This can be caused by legitimate
traffic or it could be caused by malicious traffic in the form of port
scans, ping sweeps, worm outbreaks, or various other types of unwanted
traffic.

The easiest way to determine what is causing this is to connect to the
device via telnet/ssh/console and issue the "get session" command.  You may
be able to look at the output and easily identify what is causing the large
number of sessions.  However, as you are likely to have a large amount of
data it might be easier to save this output to a .txt file and using
something like the 'Firewall Session
Analyzer<http://www.juniperforum.com/index.php/topic,3656.0.html>'
available on Juniper's Support site to analyze the data.

Once you have identified the source of the large number of sessions, the
following remedies may be used to fix the problem:

A) Eliminate the undesired traffic from the identified host
B) Set your protocol timeouts for the protocol in question to something
lower, so that the matching sessions age out quicker and therefore do not
hog session resources
C) Set Screening options to enforce Source or Destination Session Limits

HTHs.

Stefan Fouant

On Fri, Mar 14, 2008 at 12:25 PM, Vincent De Keyzer <
vincent at autempspourmoi.be> wrote:

> Hello,
>
> we have a Netscreen 25 at our office (30 people), that we use for
> Internet access and VoIP.
>
>  From time to time the firewall goes bananas: traffic does not go
> through anymore, ping success rate to default gateway is very low, and
> if we succeed to login, we see very high CPU and messages in the log
> that say:
>
> 2008-03-13 15:08:31 system crit  00051 Session utilization has reached
> 28857,
>                                       which is 90% of the system capacity!
> 2008-03-13 15:08:29 system crit  00051 Session utilization has reached
> 28857,
>                                       which is 90% of the system capacity!
> 2008-03-13 15:08:28 system crit  00051 Session utilization has reached
> 28857,
>                                       which is 90% of the system capacity!
> 2008-03-13 15:08:27 system crit  00051 Session utilization has reached
> 28857,
>                                       which is 90% of the system capacity!
> 2008-03-13 15:08:26 system crit  00051 Session utilization has reached
> 28857,
>                                       which is 90% of the system capacity!
> 2008-03-13 15:08:24 system crit  00051 Session utilization has reached
> 28857,
>                                       which is 90% of the system capacity!
> 2008-03-13 15:08:19 system crit  00051 Session utilization has reached
> 28857,
>                                       which is 90% of the system capacity!
> 2008-03-13 15:08:18 system crit  00051 Session utilization has reached
> 28857,
>                                       which is 90% of the system capacity!
> 2008-03-13 15:08:16 system crit  00051 Session utilization has reached
> 28857,
>                                       which is 90% of the system capacity!
>
> How do I troubleshoot this? What are those sessions? How do I identify
> them? How do I limit them? Is it a good thing to limit them?
>
> I don't know where to start, so any idea will be appreciated.
>
> Thanks
>
> Vincent
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>