cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Netvanta 1224R

Jump to solution

After several years in service I have recently had a 1224R start acting up and I am getting this in the event logs.

"Maximum number of global associations reached, dropping packet from Public policy-class"

I don't think there is any virus activity and I have read the post about increasing the  "IP POLICY-CLASS MAX-SESSIONS". I set it to the maximum and I am still getting these errors..  Can someone explain what causes the error?

Thanks

Tommy

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Netvanta 1224R

Jump to solution

I rebooted the 1224R and the issue disappeared. I also made sure all of the computers were clear of any malware etc.. So far the issue has not returned and it has been over 24 hours. If it occurs again I will post an update.

I also ran a packet capture and did not see anything that caught my eye.

View solution in original post

0 Kudos
8 Replies
jayh
Honored Contributor
Honored Contributor

Re: Netvanta 1224R

Jump to solution

It's possibly some virus but perhaps not on your network.  The box keeps track of state when a flow traverses the firewall.  Normally this is short-duration event.  You send an email or visit a web page, the other side accepts the connection, data is passed, and the connection closes.  An open SSH or telnet session will hold an association for the duration of the session.

If a connection is started but doesn't complete, then a timer starts running.  The association is reserved for the duration of the timer.  Virus activity or port scans can cause multiple half-open sessions which will hold these sessions until the timer runs out.

show ip policy-sessions would be a good place to start.  Look for numerous incomplete sessions of port ranges or IP ranges in sequence, this may point you to the culprit. 

Anonymous
Not applicable

Re: Netvanta 1224R

Jump to solution

Below is the output of "show ip policy-sessions", as you can see there are not that many sessions open.

show ip policy-sess

Protocol (TTL) [in crypto map] -> [out crypto map] Destination policy-class

  Src IP Address  Src Port Dest IP Address Dst Port NAT IP Address    NAT Port

  --------------- -------- --------------- -------- ----------------- --------

Policy class "Private":

tcp (565) -> Public

  192.168.20.7    58086    162.220.220.77  5938     s 70.46.202.2     57291

tcp (565) -> Public

  192.168.20.61   58274    108.59.5.74     5938     s 70.46.202.2     16473

tcp (565) -> Public

  192.168.20.147  59811    74.125.21.101   443      s 70.46.202.2     30606

tcp (593) -> Public

  192.168.20.147  59665    74.125.21.113   443      s 70.46.202.2     30535

tcp (593) -> Public

  192.168.20.147  59813    74.125.21.113   443      s 70.46.202.2     30607

tcp (551) -> Public

  192.168.20.147  63863    108.160.163.102 80       s 70.46.202.2     8787

tcp (4) -> Public

  192.168.20.147  59808    173.194.37.54   443      s 70.46.202.2     30602

tcp (4) -> Public

  192.168.20.147  59809    173.194.37.54   443      s 70.46.202.2     30603

tcp (565) -> Public

  192.168.20.154  45158    15.201.145.51   5223     s 70.46.202.2     25453

Policy class "Public":

tcp (600) -> self

  74.113.156.28   42874    70.46.202.2     2300

icmp (46) -> self

  74.113.235.21   4457     70.46.202.2     4457

Policy class "self":

Policy class "default":

jayh
Honored Contributor
Honored Contributor

Re: Netvanta 1224R

Jump to solution

This looks pretty lightweight for policy sessions, certainly not of concern.  You'll probably need to capture it when the issue occurs. 

Anonymous
Not applicable

Re: Netvanta 1224R

Jump to solution

I rebooted the 1224R and the issue disappeared. I also made sure all of the computers were clear of any malware etc.. So far the issue has not returned and it has been over 24 hours. If it occurs again I will post an update.

I also ran a packet capture and did not see anything that caught my eye.

0 Kudos
Anonymous
Not applicable

Re: Netvanta 1224R

Jump to solution

-

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor

jgoldberg
New Contributor II

Re: Netvanta 1224R

Jump to solution

Jay,

I'm curious if you or anyone else knows of a scriptable telnet/ssh client that can run these commands. As long as I can pass command lines to it or read from a script, I'm good. It doesn't need the more advanced programmable scripting conditions of Vandyke SecureCRT, just basic: send this command, wait five seconds, send the next command, etc....

Edit: I see that putty supports this.

jayh
Honored Contributor
Honored Contributor

Re: Netvanta 1224R

Jump to solution

An expect script can do this type of thing. If you're running Windows, you'll need to install Service Pack CentOS.

jgoldberg
New Contributor II

Re: Netvanta 1224R

Jump to solution

That's great, thanks. I'm installing Expect for WinDOSe as we speak. Expect is based on tcl, the same scripting language built used to write Adtran scripts!