Just reviewed events and I am seeing quite a few of these:
2012.03.02 10:00:12 FIREWALL id=firewall time="2012-03-02 10:00:12" fw=fsnb-mpls-access pri=5 proto=8080/tcp src= dst= msg="Maximum number of associations reached on ghost policy-class, dropping packet Src 1783 Dst 8080 from ghost policy-class" agent=AdFirewall
And we are losing connections
Policy-class "ghost":
32573 current sessions (33300 max)
Discards/Allows/NAT: 1019384/524143322/0
Entry 1 - allow list MATCHALL stateless
1142130940 initiator bytes, 1762128917 responder bytes, 524143322 hits
How do I fix this without havbing to reboot router or kicking everyone off by removing the poilcy or will removing policy allow everyone to staty connected.
Thank you for asking this question.
Depending on the ADTRAN product and firmware version, you can increase the maximum number of sessions with the command ip policy-class <ipv4 acp name> max-sessions <number>. The value must be within the appropriate range limits. The limits depend on the type of AOS device being used. Setting this value to 0 restores the default setting.
Use the policy-class max-sessions <number> command to specify the maximum number of allowed policy sessions in the AOS product for both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) combined. This command sets the maximum session limit for ALL access control policies (ACPs) on the AOS unit. When setting the max-sessions for all IPv4 ACPs, this default is determined at boot time based on the amount of memory available. For a named IPv4 ACP, this default is one-third of the total number of allowed ACP sessions.
By default, the maximum IPv4 and IPv6 ACP sessions allowed are based on the amount of RAM in the AOS unit. The following table outlines the default values based on RAM:
RAM Amount | Default Max Sessions |
---|---|
64 MB | 10000 |
128 MB | 30000 |
256 MB | 80000 |
512 MB | 200000 |
768 MB | 300000 |
1 GB | 450000 |
I hope that makes sense, but please do not hesitate to reply to this post with additional questions. I will be happy to help in any way I can.
Levi
Thank you for asking this question.
Depending on the ADTRAN product and firmware version, you can increase the maximum number of sessions with the command ip policy-class <ipv4 acp name> max-sessions <number>. The value must be within the appropriate range limits. The limits depend on the type of AOS device being used. Setting this value to 0 restores the default setting.
Use the policy-class max-sessions <number> command to specify the maximum number of allowed policy sessions in the AOS product for both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) combined. This command sets the maximum session limit for ALL access control policies (ACPs) on the AOS unit. When setting the max-sessions for all IPv4 ACPs, this default is determined at boot time based on the amount of memory available. For a named IPv4 ACP, this default is one-third of the total number of allowed ACP sessions.
By default, the maximum IPv4 and IPv6 ACP sessions allowed are based on the amount of RAM in the AOS unit. The following table outlines the default values based on RAM:
RAM Amount | Default Max Sessions |
---|---|
64 MB | 10000 |
128 MB | 30000 |
256 MB | 80000 |
512 MB | 200000 |
768 MB | 300000 |
1 GB | 450000 |
I hope that makes sense, but please do not hesitate to reply to this post with additional questions. I will be happy to help in any way I can.
Levi
With our current setup at 256MB, and the policy maxed out at 33300, can this cause connectivity issues? Can we increase the memory to allow more sessions?
Yes, if you are reaching the maximum number of associations, it can cause connectivity issues. If your ADTRAN unit has 256 MB of RAM, then you can increase the max-sessions with the command listed previously (ip policy-class <ipv4 acp name> max-sessions <number>) to up to 80,000, as outlined in the table above. However, if after increasing the max-sessions, you are still reaching the maximum number of associations, then you may want to investigate your internal network for malicious hosts.
Levi
I marked this question as "assumed answered," but please do not hesitate to reply to this post with additional questions on this topic. I will be happy to help in any way I can.
Levi
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor