After several years in service I have recently had a 1224R start acting up and I am getting this in the event logs.
"Maximum number of global associations reached, dropping packet from Public policy-class"
I don't think there is any virus activity and I have read the post about increasing the "IP POLICY-CLASS MAX-SESSIONS". I set it to the maximum and I am still getting these errors.. Can someone explain what causes the error?
Thanks
Tommy
I rebooted the 1224R and the issue disappeared. I also made sure all of the computers were clear of any malware etc.. So far the issue has not returned and it has been over 24 hours. If it occurs again I will post an update.
I also ran a packet capture and did not see anything that caught my eye.
It's possibly some virus but perhaps not on your network. The box keeps track of state when a flow traverses the firewall. Normally this is short-duration event. You send an email or visit a web page, the other side accepts the connection, data is passed, and the connection closes. An open SSH or telnet session will hold an association for the duration of the session.
If a connection is started but doesn't complete, then a timer starts running. The association is reserved for the duration of the timer. Virus activity or port scans can cause multiple half-open sessions which will hold these sessions until the timer runs out.
show ip policy-sessions would be a good place to start. Look for numerous incomplete sessions of port ranges or IP ranges in sequence, this may point you to the culprit.
Below is the output of "show ip policy-sessions", as you can see there are not that many sessions open.
show ip policy-sess
Protocol (TTL) [in crypto map] -> [out crypto map] Destination policy-class
Src IP Address Src Port Dest IP Address Dst Port NAT IP Address NAT Port
--------------- -------- --------------- -------- ----------------- --------
Policy class "Private":
tcp (565) -> Public
192.168.20.7 58086 162.220.220.77 5938 s 70.46.202.2 57291
tcp (565) -> Public
192.168.20.61 58274 108.59.5.74 5938 s 70.46.202.2 16473
tcp (565) -> Public
192.168.20.147 59811 74.125.21.101 443 s 70.46.202.2 30606
tcp (593) -> Public
192.168.20.147 59665 74.125.21.113 443 s 70.46.202.2 30535
tcp (593) -> Public
192.168.20.147 59813 74.125.21.113 443 s 70.46.202.2 30607
tcp (551) -> Public
192.168.20.147 63863 108.160.163.102 80 s 70.46.202.2 8787
tcp (4) -> Public
192.168.20.147 59808 173.194.37.54 443 s 70.46.202.2 30602
tcp (4) -> Public
192.168.20.147 59809 173.194.37.54 443 s 70.46.202.2 30603
tcp (565) -> Public
192.168.20.154 45158 15.201.145.51 5223 s 70.46.202.2 25453
Policy class "Public":
tcp (600) -> self
74.113.156.28 42874 70.46.202.2 2300
icmp (46) -> self
74.113.235.21 4457 70.46.202.2 4457
Policy class "self":
Policy class "default":
This looks pretty lightweight for policy sessions, certainly not of concern. You'll probably need to capture it when the issue occurs.
I rebooted the 1224R and the issue disappeared. I also made sure all of the computers were clear of any malware etc.. So far the issue has not returned and it has been over 24 hours. If it occurs again I will post an update.
I also ran a packet capture and did not see anything that caught my eye.
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor
Jay,
I'm curious if you or anyone else knows of a scriptable telnet/ssh client that can run these commands. As long as I can pass command lines to it or read from a script, I'm good. It doesn't need the more advanced programmable scripting conditions of Vandyke SecureCRT, just basic: send this command, wait five seconds, send the next command, etc....
Edit: I see that putty supports this.
An expect script can do this type of thing. If you're running Windows, you'll need to install Service Pack CentOS.
That's great, thanks. I'm installing Expect for WinDOSe as we speak. Expect is based on tcl, the same scripting language built used to write Adtran scripts!