Contents

Managing sessions· 1

About session management 1

Session management operation· 1

Session management functions· 1

Restrictions and guidelines: Session management configuration· 2

Setting the session aging time for different protocol states· 2

Setting the session aging time for different application layer protocols· 3

Specifying persistent sessions· 3

Enabling session synchronization· 4

Enabling session statistics collection· 5

Configuring CGN deployment 5

Configuring SNMP notifications for session entry resources· 6

Configuring session entry resource logging· 6

Display and maintenance commands for session management 6

 

Managing sessions

About session management

Session management is a common module, providing basic services for attack detection and protection to implement their session-based services.

Session management defines packet exchanges at transport layer as sessions. It updates session states and ages out sessions according to data flows from the initiators or responders. Session management allows multiple features to process the same service packet.

Session management operation

Session management tracks the session status by inspecting the transport layer protocol information. It performs unified status maintenance and management of all connections based on session tables and relation tables.

When a connection request passes through the device from a client to a server, the device creates a session entry. The entry can contain the request and response information, such as:

·          Source IP address and port number.

·          Destination IP address and port number.

·          Transport layer protocol.

·          Application layer protocol.

·          Protocol state of the session.

A multichannel protocol requires that the client and the server negotiate a new connection based on an existing connection to implement an application. Session management enables the device to create a relation entry for each connection during the negotiation phase. The entry is used to associate the connection with the application. Relation entries will be removed after the associated connections are established.

If the destination IP address of a packet is a multicast IP address, the packet will be forwarded out of multiple ports. When a multicast connection request is received on an inbound interface, the device performs the following operations:

·          Creates a multicast session entry on the inbound interface.

·          Creates a corresponding multicast session entry for each outbound interface.

Unless otherwise stated, "session entry" in this chapter refers to both unicast and multicast session entries.

In actual applications, session management only tracks connection status. It does not block potential attack packets.

Session management functions

Session management enables the device to provide the following functions:

·          Creates sessions for protocol packets, updates session states, and sets aging time for sessions in different protocol states.

·          Sets aging time for sessions based on application layer protocols.

·          Supports ICMP/ICMPv6 error packet mapping, enabling the device to search for original sessions according to the payloads in the ICMP/ICMPv6 error packets.

Because error packets are generated due to host errors, the mapping can help speed up the aging of the original sessions.

·          Supports persistent sessions, which are kept alive for a long period of time.

·          Supports session management for the control channels and dynamic data channels of application layer protocols, for example, FTP.

·          Supports real-time synchronization for sessions and for dynamic entries of session-based services.

Restrictions and guidelines: Session management configuration

For a TCP session in ESTABLISHED state, the priority order of the associated aging time is as follows:

·          Aging time for persistent sessions.

·          Aging time for sessions of application layer protocols.

·          Aging time for sessions in different protocol states.

If the device has excessive sessions, do not set the aging time shorter than the default for a certain protocol state or an application layer protocol. Short aging time settings can make the device slow in response.

Setting the session aging time for different protocol states

About protocol state-based session aging

If a session in a certain protocol state has no packet hit before the aging time expires, the device automatically removes the session.

Procedure

1.        Enter system view.

system-view

2.        Set the session aging time for different protocol states.

session aging-time state { fin | icmp-reply | icmp-request | rawip-open | rawip-ready | syn | tcp-est | udp-open | udp-ready } time-value

The default aging time for sessions in different protocol states is as follows:

¡  FIN_WAIT: 30 seconds.

¡  ICMP-REPLY: 30 seconds.

¡  ICMP-REQUEST: 60 seconds.

¡  RAWIP-OPEN: 30 seconds.

¡  RAWIP-READY: 60 seconds.

¡  TCP SYN-SENT and SYN-RCV: 30 seconds.

¡  TCP ESTABLISHED: 240 seconds.

¡  UDP-OPEN: 30 seconds.

¡  UDP-READY: 240 seconds.

Setting the session aging time for different application layer protocols

About application layer protocol-based session aging

The aging time for sessions of different application layer protocols are valid for TCP sessions in ESTABLISHED state or UDP sessions in READY state. For sessions used by other application layer protocols, the aging time for sessions in different protocol states applies.

Procedure

1.        Enter system view.

system-view

2.        Set the session aging time for different application layer protocols.

session aging-time application { dns | ftp | gtp | h225 | h245 | ils | mgcp | nbt | pptp | ras | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp } time-value

By default, the session aging time is as follows:

¡  DNS: 1 second.

¡  FTP: 240 seconds.

¡  GTP: 60 seconds.

¡  H.225: 3600 seconds.

¡  H.245: 3600 seconds.

¡  ILS: 3600 seconds.

¡  MGCP: 60 seconds.

¡  NBT: 3600 seconds.

¡  PPTP: 3600 seconds.

¡  RAS: 300 seconds.

¡  RSH: 60 seconds.

¡  RTSP: 3600 seconds.

¡  SCCP: 3600 seconds.

¡  SIP: 300 seconds.

¡  SQLNET: 600 seconds.

¡  TFTP: 60 seconds.

¡  XDMCP: 3600 seconds.

Specifying persistent sessions

About persistent sessions

This task is only for TCP sessions in ESTABLISHED state. You can specify TCP sessions that match the permit statements in the specified ACL as persistent sessions, and set longer lifetime or never-age-out persistent sessions.

A persistent session is not removed until one of the following events occurs:

·          The session entry ages out.

·          The device receives a connection close request from the initiator or responder.

·          You manually clear the session entries.

Procedure

1.        Enter system view.

system-view

2.        Specify persistent sessions.

session persistent acl [ ipv6 ] acl-number [ aging-time time-value ]

Enabling session synchronization

About session synchronization

This feature enables devices to synchronize sessions and dynamic entries of session-based services. Typically, these devices back up each other and use a virtual IP address to communicate with a peer device. When the primary device fails, a backup device takes over to process and forward service traffic. The failover process is transparent to the peer device, and does not interrupt ongoing services.

This feature also provides automatic backup service for the device. The system automatically backs up session tables and relation tables that are generated by applications that use ALG. These applications include H.323, SIP, and ILS.

Enable session synchronization for DNS and HTTP in the following situations:

·          Users are aware that the current HTTP or DNS sessions will last for a long time.

·          HTTP or DNS session backup is required.

Restrictions and guidelines

On an IRF fabric, the NAT configuration is dependent of session synchronization. If session synchronization is enabled, make sure NAT is configured on global interfaces such as aggregate interfaces and redundant interfaces. If you configure NAT on physical ports, disable session synchronization as a best practice.

Procedure

1.        Enter system view.

system-view

2.        Enable session synchronization.

session synchronization enable

By default, session synchronization is disabled.

After session synchronization is enabled, session synchronization is enabled for all application layer protocols except DNS and HTTP by default.

3.        (Optional.) Enable session synchronization for DNS, HTTP, or both.

session synchronization { dns | http }*

By default, session synchronization is disabled for DNS and HTTP.

4.        (Optional.) Set the session synchronization delay time.

session synchronization delay seconds

The default setting is 5 seconds.

5.        Enter interface view.

interface interface-type interface-number

6.        (Optional.) Specify the port identity number for session synchronization.

identity-number number

By default, no identity number is specified for a port.

For a successful session synchronization from one system to another, make sure the service ports on the two systems are configured with the same identity number.

Enabling session statistics collection

About session statistics collection

This feature enables the device to collect session-based outbound and inbound packets and bytes. You can display session statistics based on different criteria.

·          To display statistics per unicast session, use the display session table command.

·          To display statistics per unicast packet type, use the display session statistics command.

·          To display statistics per multicast session, use the display session table multicast command.

·          To display statistics per multicast packet type, use the display session statistics multicast command.

Procedure

1.        Enter system view.

system-view

2.        Enable session statistics collection.

session statistics enable

By default, session statistics collection is disabled.

Configuring CGN deployment

About the CGN deployment

Carrier Grade NAT (CGN), also called large-scale NAT (LSN), implements bulk address translation and supports user tracing. For more information about CGN, see NAT Configuration Guide.

In a CGN-deployed network, NAT traffic needs to be redirected to a failover group. The primary node in the failover group processes services and backs up service data to the secondary node. The secondary node does not process services, but it takes over the services when the primary node fails. When the primary node is recovered from a failure, traffic is switched back to the primary node.

Backing up service data between the primary and secondary nodes takes time. To ensure service continuity, the traffic is switched back to the primary node after the preemption delay time.

Procedure

1.        Enter system view.

system-view

2.        Specify a failover group for processing session-based services.

session service-location acl [ ipv6 ] { acl-number | name acl-name } failover-group group-name

By default, no failover group is specified for processing session-based services.

3.        Set the delay time before traffic is switched back to the primary node in the failover group.

session synchronization preempt-mode delay delay-value

The default setting is 600 seconds.

Configuring SNMP notifications for session entry resources

About SNMP notifications for session entry resources

After you enable SNMP notifications for session entry resources, the device generates a notification when hardware session entry resources are exhausted or when the device recovers from the resource exhaustion condition.

For SNMP notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

Procedure

1.        Enter system view.

system-view

2.        Enable SNMP notifications for session entry resources.

snmp-agent trap enable session resources

By default, SNMP notifications are enabled for session entry resources.

Configuring session entry resource logging

About session entry resource logging

Session entry resource logging enables the device to generate logs when hardware session entry resources are exhausted and when the device recovers from the resource exhaustion condition.

Procedure

1.        Enter system view.

system-view

2.        Enable session entry resource logging.

undo session resources log disable

By default, session entry resource logging is enabled.

Display and maintenance commands for session management

Execute display commands in any view and reset commands in user view.

 

Task	Command
Display the aging time for sessions of different application layer protocols.	display session aging-time application
Display the aging time for sessions in different protocol states.	display session aging-time state
(In standalone mode.) Display IPv4 unicast session table entries.	display session table ipv4 [ slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] [ verbose ]
(In IRF mode.) Display IPv4 unicast session table entries.	display session table ipv4 [ chassis chassis-number slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] [ verbose ]
(In standalone mode.) Display IPv6 unicast session table entries.	display session table ipv6 [ slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] [ verbose ]
(In IRF mode.) Display IPv6 unicast session table entries.	display session table ipv6 [ chassis chassis-number slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] [ verbose ]
(In standalone mode.) Display unicast session statistics.	display session statistics [ summary ] [ slot slot-number ]
(In IRF mode.) Display unicast session statistics.	display session statistics [ summary ] [ chassis chassis-number slot slot-number ]
(In standalone mode.) Display IPv4 unicast session statistics.	display session statistics ipv4 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port } * [ slot slot-number ]
(In IRF mode.) Display IPv4 unicast session statistics.	display session statistics ipv4 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port } * [ chassis chassis-number slot slot-number ]
(In standalone mode.) Display IPv6 unicast session statistics.	display session statistics ipv6 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port } * [ slot slot-number ]
(In IRF mode.) Display IPv6 unicast session statistics.	display session statistics ipv6 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port } * [ chassis chassis-number slot slot-number ]
(In standalone mode.) Display IPv4 multicast session table entries.	display session table multicast ipv4 [ slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ verbose ]
(In IRF mode.) Display IPv4 multicast session table entries.	display session table multicast ipv4 [ chassis chassis-number slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ verbose ]
(In standalone mode.) Display IPv6 multicast session table entries.	display session table multicast ipv6 [ slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ verbose ]
(In IRF mode.) Display IPv6 multicast session table entries.	display session table multicast ipv6 [ chassis chassis-number slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ verbose ]
(In standalone mode.) Display multicast session statistics.	display session statistics multicast [ slot slot-number ]
(In IRF mode.) Display multicast session statistics.	display session statistics multicast [ chassis chassis-number slot slot-number ]
(In standalone mode.) Display relation table entries.	display session relation-table { ipv4 | ipv6 } [ slot slot-number ]
(In IRF mode.) Display relation table entries.	display session relation-table { ipv4 | ipv6 } [ chassis chassis-number slot slot-number ]
Display batch hot-backup state information for all cards.	display session batch-hot-backup state
(In standalone mode.) Clear IPv4 unicast session table entries.	reset session table ipv4 [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
(In IRF mode.) Clear IPv4 unicast session table entries.	reset session table ipv4 [ chassis chassis-number slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
(In standalone mode.) Clear IPv6 unicast session table entries.	reset session table ipv6 [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
(In IRF mode.) Clear IPv6 unicast session table entries.	reset session table ipv6 [ chassis chassis-number slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
(In standalone mode.) Clear IPv4 and IPv6 unicast session table entries.	reset session table [ slot slot-number ]
(In IRF mode.) Clear IPv4 and IPv6 unicast session table entries.	reset session table [ chassis chassis-number slot slot-number ]
(In standalone mode.) Clear unicast session statistics.	reset session statistics [ slot slot-number ]
(In IRF mode.) Clear unicast session statistics.	reset session statistics [ chassis chassis-number slot slot-number ]
(In standalone mode.) Clear IPv4 multicast session table entries.	reset session table multicast ipv4 [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
(In IRF mode.) Clear IPv4 multicast session table entries.	reset session table multicast ipv4 [ chassis chassis-number slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
(In standalone mode.) Clear IPv6 multicast session table entries.	reset session table multicast ipv6 [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
(In IRF mode.) Clear IPv6 multicast session table entries.	reset session table multicast ipv6 [ chassis chassis-number slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
(In standalone mode.) Clear IPv4 and IPv6 multicast session table entries.	reset session table multicast [ slot slot-number ]
(In IRF mode.) Clear IPv4 and IPv6 multicast session table entries.	reset session table multicast [ chassis chassis-number slot slot-number ]
(In standalone mode.) Clear multicast session statistics.	reset session statistics multicast [ slot slot-number ]
(In IRF mode.) Clear multicast session statistics.	reset session statistics multicast [ chassis chassis-number slot slot-number ]
(In standalone mode.) Clear relation table entries.	reset session relation-table [ ipv4 | ipv6 ] [ slot slot-number ]
(In IRF mode.) Clear relation table entries.	reset session relation-table [ ipv4 | ipv6 ] [chassis chassis-number slot slot-number ]