Session management commands 1

application aging-time· 1

display application aging-time· 2

display session aging-time· 2

display session relation-table· 4

display session statistics 5

display session table· 7

reset session· 9

reset session statistics 10

session aging-time· 11

session checksum·· 12

session log enable (NAT interface view) 13

session log time-active· 13

session persist acl 14

 

application aging-time

Syntax

application aging-time { dns | ftp | msn | qq | sip } time-value

undo application aging-time [ dns | ftp | msn | qq | sip ]

View

System view

Default level

2: System level

Parameters

dns: Specifies the aging time for DNS sessions.

ftp: Specifies the aging time for FTP sessions.

msn: Specifies the aging time for MSN sessions.

qq: Specifies the aging time for QQ sessions.

sip: Specifies the aging time for SIP sessions.

time-value: Aging time, which ranges from 5 seconds to 100000 seconds.

Description

Use the application aging-time command to set the aging time for sessions of an application layer protocol.

Use the undo application aging-time command to restore the default. If no application layer protocol type is specified, the command restores the session aging times for all the application layer protocols to the defaults.

The default session aging times for the application layer protocols are as follows:

·           DNS: 60 seconds

·           FTP: 3600 seconds

·           MSN: 3600 seconds

·           QQ: 60 seconds

·           SIP: 300 seconds

Examples

# Set the aging time for FTP sessions to 1800 seconds.

<Sysname> system-view

[Sysname] application aging-time ftp 1800

display application aging-time

Syntax

display application aging-time [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display application aging-time command to display the session aging times for application layer protocols.

You can use this command to display the default session aging times for application layer protocols before these session aging times are adjusted.

Related commands: application aging-time.

Examples

# Display the current session aging times for application layer protocols.

<Sysname> display application aging-time

Protocol                        Aging-time(s)

ftp                               3600

dns                               60

sip                               300

msn                               3600

qq                                60

Table 1 Output description

Field	Description
Protocol	Application layer protocol
Aging-time(s)	Session aging time, in seconds

 

display session aging-time

Syntax

display session aging-time [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display session aging-time command to display the session aging times in different protocol states.

You can use this command to display the default session aging times in different protocol states before these session aging times are adjusted.

 

NOTE: The IM-NAT LPU does not support this command.

 

Related commands: session aging-time.

Examples

# Display the current session aging times in different protocol states.

<Sysname> display session aging-time

Protocol                 Aging-time(s)

 syn                      60

 tcp-est                  300

 fin                      30

 udp-open                 60

 udp-ready                60

 icmp-open                100

 icmp-closed              30

 rawip-open               30

 rawip-ready              60

 accelerate               10

Table 2 Output description

Field	Description
Protocol	Protocol status
Aging-time(s)	Session aging time, in seconds

 

display session relation-table

Syntax

display session relation-table [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

slot slot-number: Displays the relationship table entries of the specified card The slot-number argument specifies the slot where the card resides.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display session relation-table command to display relationship table entries.

If no slot number is specified, the command displays the relationship table entries of all cards.

 

NOTE: The IM-NAT LPU does not support this command.

 

Examples

# Displays all relationship table entries on slot 6.

<Sysname> display session relation-table slot 6

Relations on slot 6:

Local IP/Port       Global IP/Port      MatchMode

192.168.1.22/99    10.153.2.22/99       Local

APP:QQ    Pro:UDP    TTL:2000s    AllowConn:10

Local IP/Port       Global IP/Port      MatchMode

192.168.1.100/99    10.153.2.100/99       Local

APP:FTP    Pro:TCP    TTL:2000s    AllowConn:10

Total find:  2

Table 3 Output description

Field	Description
Relations on slot 6:	Relationship table on slot 6
Local IP/Port	IP address/port number of the inside network
Global IP/Port	IP address/ port number of the outside network
MatchMode	Match mode from session table to relationship table, including Local, Global, and Either. ·       Local: Indicates that the source IP address/source port of a new session are matched against Local IP/Port in the relation table. ·       Global: Indicates that the destination IP address/destination port of a new session are matched against Global IP/Port in the relation table. ·       Either: Indicates that the IP/port of a new session are matched against Local IP/Port or Global IP/Port in the relation table.
App	Application layer protocol, such as FTP, MSN, and QQ
Pro	Transport layer protocol, TCP, or UDP
TTL	Remaining lifetime of the relationship table entry, in seconds.
AllowConn	Number of sessions allowed by the relationship table entry
Total find	Total number of found relationship table entries

 

display session statistics

Syntax

display session statistics [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

slot slot-number: Displays the session statistics of the specified card. The slot-number argument specifies the slot where the card resides.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display session statistics command to display statistics about sessions.

If no slot number is specified, the command displays session statistics of all cards. If no argument is specified, the command displays all session statistics.

 

NOTE: The IM-NAT LPU does not support this command.

 

Examples

# Display statistics about all sessions of the LPU in slot 13.

<Sysname> display session statistics slot 13

Current session(s):1

         Current     TCP session(s): 1

                 Half-Open: 0            Half-Close: 0

         Current     UDP session(s): 0

         Current    ICMP session(s): 0

         Current   RAWIP session(s): 0

 

Current relation table(s): 0

 

Session establishment rate:         0/s

         TCP     Session establishment rate:         0/s

         UDP     Session establishment rate:         0/s

         ICMP    Session establishment rate:         0/s

         RAWIP   Session establishment rate:         0/s

 

Received     TCP:           1356789815 packet(s)          109664852650 byte(s)

Received     UDP:           2204480244 packet(s)          196761214058 byte(s)

Received    ICMP:             10793095 packet(s)            2611913306 byte(s)

Received   RAWIP:              4789685 packet(s)             452146335 byte(s)

Dropped      TCP:                    2 packet(s)                    99 byte(s)

Dropped      UDP:             17541392 packet(s)            3300787996 byte(s)

Dropped     ICMP:                    0 packet(s)                     0 byte(s)

Dropped    RAWIP:                    0 packet(s)                     0 byte(s)

Table 4 Output description

Field	Description
Current session(s)	Total number of sessions
Current TCP session(s)	Number of TCP sessions
Half-Open	Number of TCP sessions in the half-open state
Half-Close	Number of TCP sessions in the half-close state
Current UDP session(s)	Number of UDP sessions
Current ICMP session(s)	Number of ICMP sessions
Current RAWIP session(s)	Number of Raw IP sessions
Current relation table(s)	Total number of relationship table entries
Session establishment rate	Session establishment rate
TCP Session establishment rate	Establishment rate of TCP sessions
UDP Session establishment rate	Establishment rate of UDP sessions
ICMP Session establishment rate	Establishment rate of ICMP sessions
RAWIP Session establishment rate	Establishment rate of Raw IP sessions
Received TCP	Counts of received TCP packets and bytes
Received UDP	Counts of received UDP packets and bytes
Received ICMP	Counts of received ICMP packets and bytes
Received RAWIP	Counts of received Raw IP packets and bytes
Dropped TCP	Counts of dropped TCP packets and bytes
Dropped UDP	Counts of dropped UDP packets and bytes
Dropped ICMP	Counts of dropped ICMP packets and bytes
Dropped RAWIP	Counts of dropped Raw IP packets and bytes

 

display session table

Syntax

display session table [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ verbose ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

slot slot-number: Displays the sessions of the specified card. The slot-number argument specifies the slot where the card resides.

source-ip source-ip: Displays the sessions with the specified source IP address.

destination-ip destination-ip: Displays sessions with the specified destination IP address.

verbose: Displays detailed information about sessions. Without this keyword, the command displays brief information about the specified sessions.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display session table command to display information about sessions.

If no keywords are specified, the command displays information about all sessions.

If no slot number is specified, the command displays the session tables of all cards.

If both the source-ip and destination-ip keywords are specified, the command displays only the sessions with the specified source and destination IP addresses.

 

NOTE: The IM-NAT LPU does not support this command.

 

Examples

# Display brief information about all sessions.

<Sysname> display session table

Sessions on slot 6:

 Total find: 0

Sessions on slot 1:

 Total find: 0

Sessions on slot 13:

Initiator:

  Source IP/Port : 6.6.6.2/2673

  Dest IP/Port   : 6.6.6.1/179

  Pro            : TCP(6)

  VPN-Instance/VLAN ID/VLL ID:

 

 Total find: 1

# Display detailed information about all sessions.

<Sysname> display session table verbose

Sessions on slot 6:

 Total find: 0

Sessions on slot 1:

 Total find: 0

Sessions on slot 13:

Initiator:

  Source IP/Port : 6.6.6.2/2673

  Dest IP/Port   : 6.6.6.1/179

  VPN-Instance/VLAN ID/VLL ID:

Responder:

  Source IP/Port : 6.6.6.1/179

  Dest IP/Port   : 6.6.6.2/2673

  VPN-Instance/VLAN ID/VLL ID:

Pro: TCP(6)     App: BGP               State: SYN

Start time: 2009-06-22 15:58:52  TTL: 27s

Received packet(s)(Init): 1 packet(s) 59 byte(s)

Received packet(s)(Reply): 0 packet(s) 0 byte(s)

 

 Total find: 1

Table 5 Output description

Field	Description
Sessions on slot 6:	Session information of the LPU in slot 6
Initiator:	Session information of the initiator
Responder:	Session information of the responder
Pro	Transport layer protocol, TCP, UDP, ICMP, or Raw IP
VPN-Instance/VLAN ID/VLL ID	MPLS L3VPN that the session belongs to and the VLAN and INLINE that the session belongs to during Layer 2 forwarding
App	Application layer protocol, FTP, DNS, MSN or QQ Unknown indicates protocol type of a non-well-known port
State	Session status. Possible values are: ·       Accelerate ·       SYN ·       TCP-EST ·       FIN ·       UDP-OPEN ·       UDP-READY ·       ICMP-OPEN ·       ICMP-CLOSED ·       RAWIP-OPEN ·       RAWIP-READY
Start Time	Session establishment time
TTL	Remaining lifetime of the session, in seconds.
Received packet(s)(Init)	Counts of packets and bytes from the initiator to the responder
Received packet(s)(Reply)	Counts of packets and bytes from the responder to the initiator
Total find	Total number of found sessions

 

reset session

Syntax

reset session [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol-type protocol-type ] [ source-port  source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]

View

User view

Default level

2: System level

Parameters

slot slot-number: Specifies the sessions of the specified card on a distributed device. .

source-ip source-ip: Specifies the sessions with the specified source IP address of the initiator. The IM-NAT LPU does not support this keyword.

destination-ip destination-ip: Specifies the sessions with the specified destination IP address of the initiator. The IM-NAT LPU does not support this keyword.

protocol-type protocol-type: Specifies the sessions of the specified protocol type. The protocol types include TCP, UDP, ICMP, and Raw IP. The IM-NAT LPU does not support this keyword.

source-port source-port: Specifies the sessions with the specified source port of the initiator. The IM-NAT LPU does not support this keyword.

destination-port destination-port: Specifies the sessions with the specified destination port of the initiator. The IM-NAT LPU does not support this keyword.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN. The vpn-instance-name argument specifies the name of an MPLS L3VPN and is a case-sensitive string of 1 to 31 characters. The IM-NAT LPU does not support this keyword.

Description

Use the reset session command to clear sessions.

If no slot number is specified, the command clears the sessions of all cards.

If no VPN instance is specified, the command clears the sessions matching other criteria on the public network.

If no parameter is specified, all sessions will be cleared.

Examples

# Reset all session tables.

<Sysname> reset session

# Remove all sessions whose the originator’s IP address is 10.10.10.10.

<Sysname> reset session source-ip 10.10.10.10

reset session statistics

Syntax

reset session statistics [ slot slot-number ]

View

User view

Default level

2: System level

Parameters

slot slot-number: Clears the session statistics of specified card. The slot-number argument specifies the slot where the card resides.

Description

Use the reset session statistics command to clear session statistics.

If no slot number is specified, the command clears the session statistics of all cards.

 

NOTE: The IM-NAT LPU does not support this command.

 

Examples

# Clear the statistics about all sessions.

<Sysname> reset session statistics

session aging-time

Syntax

session aging-time { accelerate | fin | icmp-closed | icmp-open | rawip-open | rawip-ready | syn | tcp-est | udp-open | udp-ready } time-value

undo session aging-time [ accelerate | fin | icmp-closed | icmp-open | rawip-open | rawip-ready | syn | tcp-est | udp-open | udp-ready ]

View

System view

Default level

2: System level

Parameters

accelerate time-value: Specifies the aging time for sessions in the accelerate queue, which is in the range 5 to 100000, in seconds. The IM-NAT LPU does not support this option.

fin time-value: Specifies the aging time for TCP sessions in the FIN_WAIT state, which is in the range 5 to 100000, in seconds. The IM-NAT LPU does not support this option.

icmp-closed time-value: Specifies the aging time for ICMP sessions in the CLOSED state, which is in the range 5 to 100000, in seconds. The IM-NAT LPU does not support this option.

icmp-open time-value: Specifies the aging time for ICMP sessions in the OPEN state, which is in the range 5 to 100000, in seconds. The IM-NAT LPU does not support this option.

rawip-open time-value: Specifies the aging time for sessions in the RAWIP_OPEN state, which is in the range 5 to 100000, in seconds. The IM-NAT LPU does not support this option.

rawip-ready time-value: Specifies the aging time for sessions in the RAWIP_READY state. The IM-NAT LPU does not support this option.

syn time-value: Specifies the aging time for TCP sessions in the SYN_SENT or SYN_RCV state, which is in the range 5 to 100000, in seconds. For the IM-NAT LPU, the value ranges from 5 to 15 seconds.

tcp-est time-value: Specifies the aging time for TCP sessions in the ESTABLISHED state, which is in the range 5 to 100000, in seconds. For the IM-NAT LPU, the value ranges from 180 to 3600 seconds.

udp-open time-value: Specifies the aging time for UDP sessions in the OPEN state, which is in the range 5 to 100000, in seconds. The IM-NAT LPU does not support this option.

udp-ready time-value: Specifies the aging time for UDP sessions in the READY state, which is in the range 5 to 100000, in seconds. For the IM-NAT LPU, the value ranges from 50 to 179 seconds.

Description

Use the session aging-time command to set the aging time for sessions of a specified protocol that are in a specified state.

Use the undo application aging-time command to restore the default. If no keyword is specified, the command restores the session aging times for all protocol states to the defaults.

The defaults as follows:

·           ACCELERATE state: 10 seconds,

·           TCP FIN_WAIT state: 30 seconds,

·           ICMP CLOSED state: 30 seconds,

·           ICMP OPEN state: 60 seconds,

·           RAWIP_OPEN state: 30 seconds,

·           RAWIP_READY state: 60 seconds,

·           TCP SYN_SENT and SYN_RCV state: 15 seconds,

·           TCP ESTABLISHED state: 300 seconds,

·           UDP OPEN state: 30 seconds,

·           UDP READY state: 60 seconds.

To display the session aging times in different protocol states, use the display session aging-time command.

Examples

# Set the aging time for TCP sessions in the SYN_SENT or SYN_RCV state to 10 seconds.

<Sysname> system-view

[Sysname] session aging-time syn 10

session checksum

Syntax

session checksum { all | { icmp | tcp | udp } * }

undo session checksum { all | { icmp | tcp | udp } * }

View

System view

Default level

2: System level

Parameters

all: Enables checksum verification for TCP, UDP, and ICMP packets.

icmp: Enables checksum verification for ICMP packets.

tcp: Enables checksum verification for TCP packets.

udp: Enables checksum verification for UDP packets.

Description

Use the session checksum command to enable checksum verification for protocol packets.

Use the undo session checksum command to disable checksum verification.

By default, checksum verification is disabled.

 

NOTE: The IM-NAT LPU does not support this command.

 

Examples

# Enable checksum verification for UDP packets.

<Sysname> system-view

[Sysname] session checksum udp

session log enable (NAT interface view)

Syntax

session log enable [ acl acl-number ]

undo session log enable

View

NAT virtual interface view

Default level

2: System level

Parameters

acl acl-number: Specifies the ACL to be used to match sessions for logging. The acl-number argument ranges from 2000 to 3999.

Description

Use the session log enable command to enable the session logging function.

Use the undo session log enable command to disable the session logging function.

By default, the session logging function is disabled.

If you do not specify the acl acl-number option, the command enables session logging for all sessions on the interface.

For an IM-NAT LPU, the system does not output log information about static address translation or the internal server.

Examples

# Enable session logging on interface NAT 0/1 for sessions matching ACL 2050.

<Sysname> system-view

[Sysname] interface nat 5/0/1

[Sysname-NAT5/0/1] session log enable acl 2050

session log time-active

Syntax

session log time-active time-value

undo session log time-active

View

System view

Default level

2: System level

Parameters

time-value: Holdtime threshold, in minutes. It is a multiple of 10 in the range 10 to 120.

Description

Use the session log time-active command to set the holdtime threshold for active traffic session logging.

Use the undo session log time-active command to remove the setting.

By default, the holdtime threshold is 0, which means that the system does not output active traffic session logs based on holdtime threshold.

Examples

# Set the holdtime threshold for active traffic session logging to 50 minutes.

<Sysname> system

[Sysname] session log time-active 50

session persist acl

Syntax

session persist acl acl-number [ aging-time time-value ]

undo session persist

View

System view

Default level

2: System level

Parameters

acl-number: ACL number, in the range 2000 to 3999.

aging-time time-value: Specifies the aging time for persistent sessions, in hours. The value ranges from 0 to 360 and defaults to 24. A value of 0 means the persistent sessions are never aged.

Description

Use the session persist acl command to specify the persistent session ACL. All sessions permitted by the ACL are considered persistent sessions.

Use the undo session persist command to remove the configuration.

By default, no persistent session ACL is specified.

Persistent sessions will not be removed because they are not matched with any packets within the aging time. You can manually remove such sessions when necessary.

There can be only one persistent session ACL.

 

NOTE: The IM-NAT LPU does not support this command.

 

Related commands: reset session.

Examples

# Configure all sessions matching ACL 2000 as persistent sessions, setting the aging time of the sessions to 72 hours.

<Sysname> system-view

[Sysname] session persist acl 2000 aging-time 72