cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Firewall: Maximumber of associations reached

Jump to solution

Just reviewed events and I am seeing quite a few of these:

2012.03.02 10:00:12 FIREWALL id=firewall time="2012-03-02 10:00:12" fw=fsnb-mpls-access pri=5 proto=8080/tcp src=      dst=    msg="Maximum number of associations reached on ghost policy-class, dropping packet Src 1783 Dst 8080 from ghost policy-class" agent=AdFirewall

And we are losing connections

Policy-class "ghost":

  32573 current sessions (33300 max)

  Discards/Allows/NAT: 1019384/524143322/0

  Entry 1 - allow list MATCHALL stateless

    1142130940 initiator bytes, 1762128917 responder bytes, 524143322 hits

How do I fix this without havbing to reboot router or kicking everyone off by removing the poilcy or will removing policy allow everyone to staty connected.

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Firewall: Maximumber of associations reached

Jump to solution

Thank you for asking this question.

Depending on the ADTRAN product and firmware version, you can increase the maximum number of sessions with the command ip policy-class <ipv4 acp name> max-sessions <number>.  The value must be within the appropriate range limits. The limits depend on the type of AOS device being used. Setting this value to 0 restores the default setting.

Use the policy-class max-sessions <number> command to specify the maximum number of allowed policy sessions in the AOS product for both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) combined. This command sets the maximum session limit for ALL access control policies (ACPs) on the AOS unit.  When setting the max-sessions for all IPv4 ACPs, this default is determined at boot time based on the amount of memory available. For a named IPv4 ACP, this default is one-third of the total number of allowed ACP sessions.

By default, the maximum IPv4 and IPv6 ACP sessions allowed are based on the amount of RAM in the AOS unit. The following table outlines the default values based on RAM:

RAM AmountDefault Max Sessions

64 MB

10000
128 MB30000
256 MB80000
512 MB200000
768 MB300000
1 GB450000

I hope that makes sense, but please do not hesitate to reply to this post with additional questions.  I will be happy to help in any way I can.

Levi

View solution in original post

0 Kudos
5 Replies
Anonymous
Not applicable

Re: Firewall: Maximumber of associations reached

Jump to solution

Thank you for asking this question.

Depending on the ADTRAN product and firmware version, you can increase the maximum number of sessions with the command ip policy-class <ipv4 acp name> max-sessions <number>.  The value must be within the appropriate range limits. The limits depend on the type of AOS device being used. Setting this value to 0 restores the default setting.

Use the policy-class max-sessions <number> command to specify the maximum number of allowed policy sessions in the AOS product for both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) combined. This command sets the maximum session limit for ALL access control policies (ACPs) on the AOS unit.  When setting the max-sessions for all IPv4 ACPs, this default is determined at boot time based on the amount of memory available. For a named IPv4 ACP, this default is one-third of the total number of allowed ACP sessions.

By default, the maximum IPv4 and IPv6 ACP sessions allowed are based on the amount of RAM in the AOS unit. The following table outlines the default values based on RAM:

RAM AmountDefault Max Sessions

64 MB

10000
128 MB30000
256 MB80000
512 MB200000
768 MB300000
1 GB450000

I hope that makes sense, but please do not hesitate to reply to this post with additional questions.  I will be happy to help in any way I can.

Levi

0 Kudos
Anonymous
Not applicable

Re: Firewall: Maximumber of associations reached

Jump to solution

With our current setup at 256MB, and the policy maxed out at 33300, can this cause connectivity issues? Can we increase the memory to allow more sessions?

Anonymous
Not applicable

Re: Firewall: Maximumber of associations reached

Jump to solution

Yes, if you are reaching the maximum number of associations, it can cause connectivity issues.  If your ADTRAN unit has 256 MB of RAM, then you can increase the max-sessions with the command listed previously (ip policy-class <ipv4 acp name> max-sessions <number>) to up to 80,000, as outlined in the table above.  However, if after increasing the max-sessions, you are still reaching the maximum number of associations, then you may want to investigate your internal network for malicious hosts.

Levi

Anonymous
Not applicable

Re: Firewall: Maximumber of associations reached

Jump to solution

I marked this question as "assumed answered," but please do not hesitate to reply to this post with additional questions on this topic.  I will be happy to help in any way I can.

Levi

Anonymous
Not applicable

Re: Firewall: Maximumber of associations reached

Jump to solution

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor