Juniper防火墙 session 过高问题

问题：session 100%

日志报错：

Session utilization has reached 43257, which is 90% of the system capacity!

session 连接过高

解决方法：

1、通过telnet 或 consol的方法登录到防火墙

2、使用get session 查看总的session会话数，如果大于300 一般属于不正常情况

alloc 48000/max 48064, alloc failed 2682725821, mcast all
total reserved 0, free sessions in shared pool 64
id 36/s**,vsys 0,flag 04000000/0000/0001,policy 1,time 5,
 if 0(nspflag 800801):192.168.0.57/40148->46.249.48.237/4
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 6(nspflag 800800):116.90.85.5/40148<-46.249.48.237/41

s token 4,vlan 0,tun 0,vsd 0,route 5
id 41/s**,vsys 0,flag 04000000/0000/0001,policy 1,time 6,
 if 0(nspflag 800801):192.168.0.57/33967->46.249.48.237/3
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 6(nspflag 800800):116.90.85.5/33967<-46.249.48.237/38
s token 4,vlan 0,tun 0,vsd 0,route 5
id 42/s**,vsys 0,flag 04000000/0000/0001,policy 1,time 5,
 if 0(nspflag 800801):192.168.0.57/39410->46.249.48.237/2

3、使用get session | i 192.168 查看192.168.段的session 连接情况

SSG140-> get session | i 192.168
 if 0(nspflag 800801):192.168.0.57/46487->46.249.48.237/12707,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/55007->46.249.48.237/39983,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/48080->46.249.48.237/2469,17,848f69dc69bc,ses
s token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/43232->46.249.48.237/47998,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/39463->46.249.48.237/33930,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/46013->46.249.48.237/45993,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/37948->46.249.48.237/61889,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/38786->46.249.48.237/14897,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/37535->46.249.48.237/2187,17,848f69dc69bc,ses
s token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/32769->46.249.48.237/58035,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/44854->46.249.48.237/19293,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/34863->46.249.48.237/50367,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/44754->46.249.48.237/9409,17,848f69dc69bc,ses
s token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/42375->46.249.48.237/30999,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/41061->46.249.48.237/18728,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/45544->46.249.48.237/58502,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/37048->46.249.48.237/52232,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/35874->46.249.48.237/7843,17,848f69dc69bc,ses
s token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/56577->46.249.48.237/35131,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/57100->46.249.48.237/13237,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/48264->46.249.48.237/16853,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1
 if 0(nspflag 800801):192.168.0.57/56332->46.249.48.237/44035,17,848f69dc69bc,se
ss token 3,vlan 0,tun 0,vsd 0,route 1

4、找出故障服务器地址为 192.168.0.57

5、通过clear session src-ip  192.168.0.57 查看192.168.0.57的session的连接数

SSG140-> clear session src-ip  192.168.0.57
Total cleared software sessions :47877

6、进入192.168.0.57服务器top - 23:52:34 up 27 days,  4:48,  3 users,  load average: 2.72, 2.92, 2.81
Tasks: 308 total,   3 running, 305 sleeping,   0 stopped,   0 zombie
Cpu(s):  8.5%us,  2.7%sy,  0.0%ni, 88.7%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:  16316340k total,  1599156k used, 14717184k free,   154852k buffers
Swap: 33554424k total,        0k used, 33554424k free,   866596k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                                                    
 7178 root      20   0  131m 4952 1188 R 100.0  0.0   3919:56 perl                                                                                      
 7050 root      20   0  118m 4040 1952 R 100.0  0.0   4148:07 python                                                                                    
    1 root      20   0 19272 1548 1260 S  0.0  0.0   0:02.48 init                                                                                       
    2 root      20   0     0    0    0 S  0.0  0.0   0:00.00 kthreadd                                                                                   
    3 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 migration/0                                                                                
    4 root      20   0     0    0    0 S  0.0  0.0   0:00.04 ksoftirqd/0                                                                                
    5 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 migration/0                                                                                
    6 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 watchdog/0                                                                                 
    7 root      RT   0     0    0    0 S  0.0  0.0   0:00.03 migration/1                                                                                
    8 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 migration/1                                                                                
    9 root      20   0     0    0    0 S  0.0  0.0   0:00.00 ksoftirqd/1      

找出问题

     本文转自yzy121403725 51CTO博客，原文链接：http://blog.51cto.com/lookingdream/1826423，如需转载请自行联系原作者