Non-default vSystems do not support some of the session management commands. For information about vSystem support for a command, see the usage guidelines on that command. For information about vSystem, see Virtual Technologies Configuration Guide.

display session aging-time application

Use display session aging-time application to display the aging time for sessions of different application layer protocols or applications.

Syntax

display session aging-time application

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Examples

# Display the aging time for sessions of different application layer protocols and applications.

<Sysname> display session aging-time application

Application Aging time(s)

bootpc 120

bootps 120

dns 30

ftp 3600

ftp-data 240

gprs-data 60

gprs-sig 60

gtp-control 60

gtp-user 60

h225 3600

h245 3600

https 600

ils 3600

l2tp 120

mgcp-callagent 60

mgcp-gateway 60

netbios-dgm 3600

netbios-ns 3600

netbios-ssn 3600

ntp 120

pptp 3600

qq 120

ras 300

rip 120

rsh 60

rtsp 3600

sccp 3600

sip 300

snmp 120

snmptrap 120

sqlnet 600

stun 600

syslog 120

tacacs-ds 120

tftp 60

who 120

xdmcp 3600

others 1200

Table 1 Command output

Field	Description
Application	Name of an application layer protocol or an application.
Aging time(s)	Aging time in seconds.
others	All application layer protocols and applications whose aging time is 1200 seconds is displayed as others.

Related commands

session aging-time application

display session aging-time state

Use display session aging-time stat to display the aging time for sessions in different protocol states.

Syntax

display session aging-time state

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Examples

# Display the aging time for sessions in different protocol states.

<Sysname> display session aging-time state

State Aging Time(s)

SYN 10

TCP-EST 3600

FIN 10

UDP-OPEN 10

UDP-READY 30

ICMP-REQUEST 30

ICMP-REPLY 10

RAWIP-OPEN 30

RAWIP-READY 60

UDPLITE-OPEN 30

UDPLITE-READY 60

DCCP-REQUEST 30

DCCP-EST 3600

DCCP-CLOSEREQ 30

SCTP-INIT 30

SCTP-EST 3600

SCTP-SHUTDOWN 30

ICMPV6-REQUEST 60

ICMPV6-REPLY 30

TCP-TIME-WAIT 2

TCP-CLOSE 2

Table 2 Command output

Field	Description
State	Protocol state.
Aging Time(s)	Aging time in seconds.

Related commands

session aging-time state

display session dual-active transparent statistics

Use display session dual-active transparent statistics to display statistics about transparently transmitted packets in session dual-active mode.

Syntax

In standalone mode:

display session dual-active transparent statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display session dual-active transparent statistics [chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays packet statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays packet statistics for all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Non-default vSystems do not support this command.

Examples

# (In standalone mode.) Display statistics about transparently transmitted packets in session dual-active mode.

<Sysname> display session dual-active transparent statistics

Slot 2 in chassis 1:

UDP relay packets : 0

Received relay packets : 0

Table 3 Command output

Field	Description
UDP relay packets	Number of transparently transmitted UDP packets.
Received relay packets	Number of received packets that are transparently transmitted.

Related commands

session dual-active enable

session statistics enable

display session fast-drop statistics

Use display session fast-drop statistics to display unicast deny session statistics.

Syntax

In standalone mode:

display session fast-drop statistics [ summary ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display session fast-drop statistics [ summary ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

summary: Displays summary information about unicast deny session statistics. If you do not specify this keyword, the command displays detailed information about unicast deny session statistics.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Non-default vSystems do not support this command.

Examples

# (In standalone mode.) Display detailed information about unicast deny session statistics.

<Sysname> display session fast-drop statistics

Slot 1:

Current : 1

Session type Est count

TCP : 0

UDP : 0

ICMP : 1

ICMPv6 : 0

UDP-Lite : 0

SCTP : 0

DCCP : 0

RAWIP : 0

DNS : 0

FTP : 0

GTP : 0

H323 : 0

HTTP : 0

ILS : 0

MGCP : 0

NBT : 0

PPTP : 0

RSH : 0

RTSP : 0

SCCP : 0

SIP : 0

SMTP : 0

SQLNET : 0

SSH : 0

TELNET : 0

TFTP : 0

XDMCP : 0

Deny session establishment rate: 0/s

Session type Est count

TCP : 0/s

UDP : 0/s

ICMP : 0/s

ICMPv6 : 0/s

UDP-Lite : 0/s

SCTP : 0/s

DCCP : 0/s

RAWIP : 0/s

Table 4 Command output

Field	Description
Current	Total number of unicast deny sessions.
Session type	Deny session type: · TCP. · UDP. · ICMP. · ICMPv6. · UDP-Lite. · SCTP. · DCCP. · RAWIP. · DNS. · FTP. · GTP. · H323. · HTTP. · ILS. · MGCP. · NBT. · PPTP. · RSH. · RTSP. · SCCP. · SIP. · SMTP. · SQLNET. · SSH. · TELNET. · TFTP. · XDMCP.
Est count	Number of deny sessions created for each protocol.
Deny session establishment rate	Rate of deny session establishment.
Session type	Deny session type: · TCP. · UDP. · ICMP. · ICMPv6. · UDP-Lite. · SCTP. · DCCP. · RAWIP.
Est count	Number of deny sessions created per second for each protocol.

# (In standalone mode.) Display summary information about unicast deny session statistics.

<Sysname> display session fast-drop statistics summary

Slot 1:

type Sessions TCP sessions UDP sessions Rate TCP rate UDP rate

Est 1 0 0 1/s 0/s 0/s

Try 47 0 0 1/s 0/s 0/s

Table 5 Command output

Field	Description
type	Deny session type: · Est—Successfully created deny session. · Try—Deny session that the system attempted to create.
Sessions	Total number of unicast deny sessions.
TCP sessions	Number of TCP unicast deny sessions.
UDP sessions	Number of UDP unicast deny sessions.
Rate	Rate of unicast deny session creation.
TCP rate	Rate of TCP unicast deny session creation.
UDP rate	Rate of UDP unicast deny session creation.

display session fast-drop table ipv4

Use display session fast-drop table ipv4 to display IPv4 unicast deny session entries.

Syntax

In standalone mode:

display session fast-drop table ipv4 [ { destination-ip start-destination-ip [ end-destination-ip ] | destination-port destination-port | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-ip start-source-ip [ end-source-ip ] | source-port source-port } * ] [ slot slot-number [ cpu cpu-number ] ] [ verbose ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

destination-ip start-destination-ip [ end-destination-ip ]: Specifies a destination IPv4 address or IPv4 address range for a unicast deny session from the initiator to the responder. The start-destination-ip argument specifies the start destination IPv4 address. The end-destination-ip argument specifies the end destination IPv4 address.

destination-port destination-port: Specifies a destination port by its number. The destination-port argument specifies the destination port of a unicast deny session from the initiator to the responder. The value range for the destination-port argument is 0 to 65535.

protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv4 transport layer protocol, including DCCP, ICMP, Raw IP, SCTP, TCP, UDP, and UDP-Lite.

source-ip start-source-ip [ end-source-ip ]: Specifies a source IPv4 address or IPv4 address range for a unicast deny session from the initiator to the responder. The start-source-ip argument specifies the start source IPv4 address. The end-source-ip argument specifies the end source IPv4 address.

source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of a unicast deny session from the initiator to the responder. The value range for the source-port argument is 0 to 65535.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

verbose: Displays detailed information about IPv4 unicast deny session entries. If you do not specify this keyword, the command displays brief information about IPv4 unicast deny session entries.

Usage guidelines

If you do not specify any parameters, this command displays all IPv4 unicast deny session entries.

Examples

# (In standalone mode.) Display brief information about all IPv4 unicast deny session entries.

<Sysname> display session fast-drop table ipv4

Slot 1:

Initiator:

Source IP/port: 192.168.1.18/1877

Destination IP/port: 192.168.1.55/22

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/1

Source security zone: Trust

Total deny session found: 1

# (In standalone mode.) Display detailed information about all IPv4 unicast deny session entries.

<Sysname> display session fast-drop table ipv4 verbose

Slot 1:

Initiator:

Source IP/port: 192.168.1.18/1877

Destination IP/port: 192.168.1.55/22

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/1

Source security zone: Trust

Responder:

Source IP/port: 192.168.1.55/22

Destination IP/port: 192.168.1.18/1877

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/2

Source security zone: Local

State: TCP_SYN_SENT

FPGA state: TCP_SYN_SENT

Application: SSH

Rule ID: 1

Rule name: test

Start time: 2011-07-29 19:12:36 TTL: 28s

Initiator->Responder: 1 packets 48 bytes

Responder->Initiator: 0 packets 0 bytes

Total deny session found: 1

Table 6 Command output

Field	Description
Initiator	Information about the unicast deny session from the initiator to the responder.
Responder	Information about the unicast deny session from the responder to the initiator.
DS-Lite tunnel peer	Address of the DS-Lite tunnel peer. When the unicast deny session is not tunneled by DS-Lite, this field displays a hyphen (-).
VPN instance/VLAN ID/Inline ID	MPLS L3VPN instance to which the unicast deny session belongs. VLAN and inline to which the deny session belongs during Layer 2 forwarding. If a parameter is not specified, a hyphens (-) is displayed for the proper field.
Protocol	Transport layer protocol: · DCCP. · ICMP. · ICMPv6. · Raw IP. · SCTP. · TCP. · UDP. · UDP-Lite. The number in the brackets indicates the protocol number.
Inbound interface	Interface on which packets are received.
Source security zone	Security zone to which the inbound interface belongs. If the inbound interface does not belong to any security zone, this field displays a hyphen (-).
State	Unicast deny session state.
FPGA state	Logical session state. If the logical session state cannot be obtained, this field displays NA. if hardware fast forwarding is disabled, this field is not displayed.
Application	Application layer protocol, FTP or DNS. If it is an unknown protocol identified by an unknown port, this field displays OTHER.
Rule ID	ID of the security policy rule.
Rule name	Name of the security policy rule.
Start time	Unicast deny session establishment time.
TTL	Remaining lifetime of the unicast deny session, in seconds.
Initiator->Responder	Number of packets and bytes from the initiator to the responder.
Responder->Initiator	Number of packets and bytes from the responder to the initiator.
Total deny session found	Total number of found unicast deny session entries.

display session fast-drop table ipv6

Use display session fast-drop table ipv6 to display IPv6 unicast deny session entries.

Syntax

In standalone mode:

display session fast-drop table ipv6 [ { destination-ip start-destination-ip [ end-destination-ip ] | destination-port destination-port | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-ip start-source-ip [ end-source-ip ] | source-port source-port } * ] [ slot slot-number [ cpu cpu-number ] ] [ verbose ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

destination-ip start-destination-ip [ end-destination-ip ]: Specifies a destination IPv6 address or IPv6 address range for a unicast deny session from the initiator to the responder. The start-destination-ip argument specifies the start destination IPv6 address. The end-destination-ip argument specifies the end destination IPv6 address.

protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv6 transport layer protocol, including DCCP, ICMP, Raw IP, SCTP, TCP, UDP, and UDP-Lite.

source-ip start-source-ip [ end-source-ip ]: Specifies a source IPv6 address or IPv6 address range for a unicast deny session from the initiator to the responder. The start-source-ip argument specifies the start source IPv6 address. The end-source-ip argument specifies the end source IPv6 address.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument represents the member ID of the member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information on all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

verbose: Displays detailed information about IPv6 unicast deny session entries. If you do not specify this keyword, the command displays brief information about IPv6 unicast deny session entries.

Usage guidelines

If you do not specify any parameters, this command displays all IPv6 unicast deny session entries.

Examples

# (In standalone mode.) Display brief information about all IPv6 unicast deny session entries.

<Sysname> display session fast-drop table ipv6

Slot 1:

Initiator:

Source IP/port: 2011::2/58473

Destination IP/port: 2011::8/32768

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/1

Source security zone: Trust

Total deny session found: 1

# (In standalone mode.) Display detailed information about all IPv6 unicast deny session entries.

<Sysname> display session fast-drop table ipv6 verbose

Slot 1:

Initiator:

Source IP/port: 2011::2/58473

Destination IP/port: 2011::8/32768

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/1

Source security zone: Trust

Responder:

Source IP/port: 192.168.1.55/22

Destination IP/port: 192.168.1.18/1877

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/2

Source security zone: Local

State: TCP_SYN_SENT

FPGA state: TCP_SYN_SENT

Application: SSH

Rule ID: 1

Rule name: test

Start time: 2011-07-29 19:12:36 TTL: 28s

Initiator->Responder: 1 packets 48 bytes

Responder->Initiator: 0 packets 0 bytes

Total deny session found: 1

Table 7 Command output

Field	Description
Initiator	Information about the unicast deny session from the initiator to the responder.
Responder	Information about the unicast deny session from the responder to the initiator.
DS-Lite tunnel peer	Address of the DS-Lite tunnel peer. When the unicast deny session is not tunneled by DS-Lite, this field displays a hyphen (-).
VPN instance/VLAN ID/Inline ID	MPLS L3VPN instance to which the unicast deny session belongs. VLAN and inline to which the unicast deny session belongs during Layer 2 forwarding. If a parameter is not specified, a hyphens (-) is displayed for the proper field.
Protocol	Transport layer protocol: · DCCP. · ICMP. · ICMPv6. · Raw IP. · SCTP. · TCP. · UDP. · UDP-Lite. The number in the brackets indicates the protocol number.
Inbound interface	Interface on which packets are received.
Source security zone	Security zone to which the inbound interface belongs. If the inbound interface does not belong to any security zone, this field displays a hyphen (-).
State	Unicast deny session state.
FPGA state	Logical session state. If the logical session state cannot be obtained, this field displays NA. if hardware fast forwarding is disabled, this field is not displayed.
Application	Application layer protocol, FTP or DNS. If it is an unknown protocol identified by an unknown port, this field displays OTHER.
Rule ID	ID of the security policy rule.
Rule name	Name of the security policy rule.
Start time	Unicast deny session establishment time.
TTL	Remaining lifetime of the unicast deny session, in seconds.
Initiator->Responder	Number of packets and bytes from the initiator to the responder.
Responder->Initiator	Number of packets and bytes from the responder to the initiator.
Total deny session found	Total number of found unicast deny session entries.

display session fast-drop top-statistics

Use display session fast-drop top-statistics to display top deny session statistics.

Syntax

display session fast-drop top-statistics { last-1-hour | last-24-hours | last-30-days }

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

last-1-hour: Displays top deny session statistics in last hour.

last-24-hours: Displays top deny session statistics in last 24 hours.

last-30-days: Displays top deny session statistics in last 30 days.

Usage guidelines

Non-default vSystems do not support this command.

This command displays nothing if the top deny session statistics feature is disabled. A maximum of 10 session items can be displayed.

Examples

# Display top deny session statistics in last hour.

<Sysname> display session fast-drop top-statistics last-1-hour

Counting by source addresses:

No. Source address Sessions

1 8.1.1.1 6085

2 111.15.111.16 10

3 6::2 2

Counting by destination addresses:

No. Destination address Sessions

1 8.1.1.2 6085

2 6::3 2

3 30.1.1.8 1

4 30.1.1.4 1

5 30.1.1.11 1

6 30.1.1.9 1

7 30.1.1.6 1

8 30.1.1.5 1

9 30.1.1.7 1

10 30.1.1.3 1

Table 8 Command output

Field	Description
Counting by source addresses	Top deny session statistics based on source addresses.
Counting by destination addresses	Top deny session statistics based on destination addresses.
No.	Ranking number.
Source address	Source IP address of the deny sessions.
Destination address	Destination IP address of the deny sessions.
Sessions	Total number of deny sessions.

Related commands

session fast-drop enable

session fast-drop top-statistics enable

display session relation-table

Use display session relation-table to display relation entries.

Syntax

In standalone mode:

display session relation-table { ipv4 | ipv6 } [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display session relation-table { ipv4 | ipv6 } [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

ipv4: Specifies IPv4 relation entries.

ipv6: Specifies IPv6 relation entries.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays relation entries for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) Display all IPv4 relation entries.

<Sysname> display session relation-table ipv4

Slot 1:

Source IP/port: 192.168.1.100/-

Destination IP/port: 192.168.2.100/99

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: 1/-/-

Protocol: TCP(6) TTL: 1234s App: FTP-DATA

Source IP/port: -/-

Destination IP/port: 192.168.2.200/1212

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: 1/-/-

Protocol: TCP(6) TTL: 3100s App: H225

Total entries found: 2

# (In standalone mode.) Display all IPv6 relation entries.

<Sysname> display session relation-table ipv6

Slot 1:

Source IP: 2011::0002

Destination IP/port: 2011::0008/1212

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6) TTL: 567s App: FTP-DATA

Total entries found: 1

Table 9 Command output

Field	Description
Source IP/port	Source IP address and port number of the session. If the IP or port number is not specified, this field displays a hyphen (-). For an IPv6 relation entry, the source port number is not displayed.
Destination IP/port	Destination IP address and port number of the session.
DS-Lite tunnel peer	Peer tunnel interface address of the DS-Lite tunnel to which the session belongs. If no peer tunnel interface address is specified, a hyphen (-) is displayed.
VPN instance/VLAN ID/ Inline ID	MPLS L3VPN instance to which the relation entry belongs. VLAN and inline to which the relation entry belongs during Layer 2 forwarding. If a parameter is not specified, a hyphen (-) is displayed for the proper field.
Protocol	Transport layer protocol.
TTL	Remaining lifetime of the relation entry, in seconds.
App	Application layer protocol.
Total entries found	Total number of found relation entries.

display session statistics

Use display session statistics to display unicast session statistics.

Syntax

In standalone mode:

display session statistics [ history-max | summary ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display session statistics [ history-max | summary ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

history-max: Displays history statistics of the maximum unicast sessions and the maximum unicast session establishment rates. If you do not specify this keyword, the command displays all unicast session statistics.

summary: Displays summary information about unicast session statistics. If you do not specify this keyword, the command displays detailed information about unicast session statistics.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays unicast session statistics for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you do not specify any parameters, this command displays detailed information about the current unicast session statistics.

Examples

# Display detailed information about unicast session statistics.

<Sysname> display session statistics

Slot 1:

Current sessions: 3

TCP sessions: 0

UDP sessions: 0

ICMP sessions: 3

ICMPv6 sessions: 0

UDP-Lite sessions: 0

SCTP sessions: 0

DCCP sessions: 0

RAWIP sessions: 0

DNS sessions: 0

FTP sessions: 0

GTP sessions: 0

H323 sessions: 0

HTTP sessions: 0

ILS sessions: 0

MGCP sessions: 0

NBT sessions: 0

PPTP sessions: 0

RSH sessions: 0

RTSP sessions: 0

SCCP sessions: 0

SIP sessions: 0

SMTP sessions: 0

SQLNET sessions: 0

SSH sessions: 0

TELNET sessions: 0

TFTP sessions: 0

XDMCP sessions: 0

History average sessions per second:

Past hour: 1

Past 24 hours: 0

Past 30 days: 0

History average session establishment rate:

Past hour: 0/s

Past 24 hours: 0/s

Past 30 days: 0/s

Current relation-table entries: 0

Relation table establishment rate: 0/s

Session establishment rate: 0/s

TCP: 0/s

UDP: 0/s

ICMP: 0/s

ICMPv6: 0/s

UDP-Lite: 0/s

SCTP: 0/s

DCCP: 0/s

RAWIP: 0/s

Received TCP : 0 packets 0 bytes

Received UDP : 118 packets 13568 bytes

Received ICMP : 105 packets 8652 bytes

Received ICMPv6 : 0 packets 0 bytes

Received UDP-Lite : 0 packets 0 bytes

Received SCTP : 0 packets 0 bytes

Received DCCP : 0 packets 0 bytes

Received RAWIP : 0 packets 0 bytes

Table 10 Command output

Field	Description
Current sessions	Total number of unicast sessions.
TCP sessions	Number of TCP sessions.
UDP sessions	Number of UDP sessions.
ICMP sessions	Number of ICMP sessions.
ICMPv6 sessions	Number of ICMPv6 sessions.
UDP-Lite sessions	Number of UDP-Lite sessions.
SCTP sessions	Number of SCTP sessions.
DCCP sessions	Number of DCCP sessions.
RAWIP sessions	Number of Raw IP sessions.
DNS sessions	Number of DNS unicast sessions.
FTP sessions	Number of FTP unicast sessions.
GTP sessions	Number of GTP unicast sessions.
H323 sessions	Number of H.323 unicast sessions.
HTTP sessions	Number of HTTP unicast sessions.
ILS sessions	Number of ILS unicast sessions.
MGCP sessions	Number of MGCP unicast sessions.
NBT sessions	Number of NBT unicast sessions.
PPTP sessions	Number of PPTP unicast sessions.
RSH sessions	Number of RSH unicast sessions.
RTSP sessions	Number of RTSP unicast sessions.
SCCP sessions	Number of SCCP unicast sessions.
SIP sessions	Number of SIP unicast sessions.
SMTP sessions	Number of SMTP unicast sessions.
SQLNET sessions	Number of SQLNET unicast sessions.
SSH sessions	Number of SSH unicast sessions.
TELNET sessions	Number of Telnet unicast sessions.
TFTP sessions	Number of TFTP unicast sessions.
XDMCP sessions	Number of XDMCP unicast sessions.
History average sessions per second	History statistics of average sessions per second.
Past hour	The average number of sessions per second in the most recent hour.
Past 24 hours	The average number of sessions per second in the most recent 24 hours.
Past 30 days	The average number of sessions per second in the most recent 30 days.
History average session establishment rate	History statistics of average session establishment rates.
Past hour	The average session establishment rate in the most recent hour.
Past 24 hours	The average session establishment rate in the most recent 24 hours.
Past 30 days	The average session establishment rate in the most recent 30 days.
Current relation-table entries	Total number of relation entries.
Relation table establishment rate	Rate of relation table establishment.
Session establishment rate	Unicast session establishment rate, and rates for establishing unicast sessions of different protocols.
Received TCP	Number of received TCP packets and bytes.
Received UDP	Number of received UDP packets and bytes.
Received ICMP	Number of received ICMP packets and bytes.
Received ICMPv6	Number of received ICMPv6 packets and bytes.
Received UDP-Lite	Number of received UDP-Lite packets and bytes.
Received SCTP	Number of received SCTP packets and bytes.
Received DCCP	Number of received DCCP packets and bytes.
Received RAWIP	Number of received Raw IP packets and bytes.

# (In standalone mode.) Display summary information about unicast session statistics.

<Sysname> display session statistics summary

Slot CPU Sessions TCP UDP Rate TCP rate UDP rate

1 1 3 0 0 0/s 0/s 0/s

Table 11 Command output

Field	Description
Sessions	Total number of unicast sessions.
TCP	Number of TCP unicast sessions.
UDP	Number of UDP unicast sessions.
Rate	Rate of unicast session creation.
TCP rate	Rate of TCP unicast session creation.
UDP rate	Rate of UDP unicast session creation.

# (In standalone mode.) Display history statistics of the maximum unicast sessions and maximum unicast session establishment rates.

<Sysname> display session statistics history-max

CPU 1 on slot 1

Max sessions: 20084 Time: 2017-03-04 12:03:53

Max session establishment rate: 9080/s Time: 2017-03-04 12:03:53

Max TCP sessions: 20084 Time: 2017-03-04 12:03:53

Max TCP session establishment rate: 9080/s Time: 2017-03-04 12:03:53

Max UDP sessions: 0 Time: 2017-03-04 12:03:53

Max UDP session establishment rate: 0 Time: 2017-03-04 12:03:53

Table 12 Command output

Field	Description
Max sessions	History statistics of the maximum unicast sessions.
Max session establishment rate	History statistics of the maximum rate at which unicast sessions were created.
Max TCP sessions	History statistics of the maximum TCP unicast sessions.
Max TCP session establishment rate	History statistics of the maximum rate at which TCP unicast sessions were created.
Max UDP sessions	History statistics of the maximum UDP unicast sessions.
Max UDP session establishment rate	History statistics of the maximum rate at which UDP unicast sessions were created.

display session statistics flow-redirect

Use display session statistics flow-redirect to display statistics about redirected sessions.

Syntax

In standalone mode:

display session statistics flow-redirect { message | packet | session } [ slot slot-number cpu cpu-number ]

In IRF mode:

display session statistics flow-redirect { message | packet | session } [ chassis chassis-number slot slot-number cpu cpu-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

message: Displays message statistics about redirected sessions.

packet: Displays packet statistics about redirected sessions.

session: Displays session statistics about redirected sessions.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays redirected session statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device or specifies a PEX. The chassis-number argument represents the member ID of the IRF member device or the virtual chassis number of the PEX. The slot-number argument represents the slot number of the card or PEX. On an IRF fabric, this command displays redirected session statistics for all cards if you do not specify a card. On an IRF 3 system, this command displays session flow redirection statistics for all cards and PEXs if you do not specify a card or PEX. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Redirected sessions are sessions generated by the session flow redirection feature.

For this command to display statistics, make sure the session flow redirection feature is enabled.

Examples

# Display message statistics about redirected sessions.

<Sysname> display session statistics flow-redirect message

Chassis Slot CPU RecvMsg SentMsg

1 0 1 90 2

1 1 1 2 90

1 5 0 0 0

2 0 0 0 0

2 4 1 10 3

2 5 1 4 10

Table 13 Command output

Field	Description
RecvMsg	Number of messages received through redirected sessions.
SentMsg	Number of messages sent through redirected sessions.

# Display packet statistics about redirected sessions.

<Sysname> display session statistics flow-redirect packet

Chassis Slot CPU RecvPkts SentPkts

1 0 1 90 2

1 1 1 2 90

1 5 0 0 0

2 0 0 0 0

2 4 1 10 3

2 5 1 4 10

Table 14 Command output

Field	Description
RecvPkts	Number of packets received through redirected sessions.
SentPkts	Number of packets sent through redirected sessions.

# Display session statistics about redirected sessions.

<Sysname> display session statistics flow-redirect session

Chassis Slot CPU Out Resent In InRate InHotback InHotbackRate

1 0 1 0 7 0 0 0 0

1 1 1 7 0 1 0 0 0

1 5 0 0 0 0 0 0 0

2 0 0 0 0 0 0 0 0

2 4 1 0 571 2 0 0 0

2 5 1 571 0 0 0 1 0

Table 15 Command output

Field	Description
Out	Number of sent redirected sessions.
Resent	Number of resent redirected sessions.
In	Number of received redirected sessions.
InRate	Rate at which received redirected sessions were created.
InHotback	Number of received synchronized sessions.
InHotbackRate	Rate at which received synchronized sessions were created.

Related commands

session flow-redirect enable

display session statistics ipv4

Use display session statistics ipv4 to display IPv4 unicast session statistics.

Syntax

In standalone mode:

display session statistics ipv4 [ [ responder ] { application application-name | destination-ip destination-ip | destination-port destination-port | destination-zone destination-zone-name | interface interface-type interface-number | protocol { dccp | dns | ftp | gtp | h323 | http | icmp | ils | mgcp | nbt | pptp | raw-ip | rsh | rtsp | sccp | sctp | sip | smtp | sqlnet | ssh | tcp | telnet | tftp | udp | udp-lite | xdmcp } | security-policy-rule rule-name | source-ip source-ip | source-port source-port | source-zone source-zone-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmp-reply | icmp-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } | vpn-instance vpn-instance-name } * ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

responder: Displays statistics about IPv4 unicast sessions from the responder to the initiator. If you do not specify this keyword, the command displays statistics about IPv4 unicast sessions from the initiator to the responder.

application application-name: Specifies an application protocol by its name. The application-name argument is a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.

destination-ip destination-ip: Specifies a destination IPv4 address for a unicast session.

destination-port destination-port: Specifies a destination port by its number. The destination-port argument specifies the destination port of an IPv6 unicast session. The value range for the destination-port argument is 0 to 65535.

destination-zone destination-zone-name: Specifies a destination security zone by its name, a case-insensitive string of 1 to 31 characters.

interface interface-type interface-num: Specifies an interface by its type and number.

protocol { dccp | dns | ftp | gtp | h323 | http | icmp | ils | mgcp | nbt | pptp | raw-ip | rsh | rtsp | sccp | sctp | sip | smtp | sqlnet | ssh | tcp | telnet | tftp | udp | udp-lite | xdmcp }: Specifies an IPv4 protocol.

security-policy-rule rule-name: Specifies a security policy rule by its name for session filtering. The rule-name argument represents the name of the security policy rule, a case-sensitive string of 1 to 127 characters.

source-ip source-ip: Specifies a source IPv4 address for a unicast session.

source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of an IPv4 unicast session. The value range for the source-port argument is 0 to 65535.

source-zone source-zone-name: Specifies a source security zone by its name, a case-insensitive string of 1 to 31 characters.

state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmp-reply | icmp-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready }: Specifies a protocol state.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays IPv4 unicast session statistics in the public network.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv4 unicast session statistics for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you do not specify any parameters, this command displays all IPv4 unicast session statistics.

Examples

# Display statistics for unicast sessions from IP address 111.15.111.66.

<Sysname> display session statistics ipv4 source-ip 111.15.111.66

CPU 1 on slot 1:

Current sessions: 3

TCP sessions: 0

UDP sessions: 0

ICMP sessions: 3

UDP-Lite sessions: 0

SCTP sessions: 0

DCCP sessions: 0

RAWIP sessions: 0

DNS sessions: 0

FTP sessions: 0

GTP sessions: 0

H323 sessions: 0

HTTP sessions: 0

ILS sessions: 0

MGCP sessions: 0

NBT sessions: 0

PPTP sessions: 0

RSH sessions: 0

RTSP sessions: 0

SCCP sessions: 0

SIP sessions: 0

SMTP sessions: 0

SQLNET sessions: 0

SSH sessions: 0

TELNET sessions: 0

TFTP sessions: 0

XDMCP sessions: 0

# Display statistics for IPv4 unicast TCP sessions.

<Sysname> display session statistics ipv4 protocol tcp

CPU 1 on slot 1:

Current sessions: 3

TCP sessions: 3

Table 16 Command output

Field	Description
Current sessions	Total number of unicast sessions.
TCP sessions	Number of TCP unicast sessions.
UDP sessions	Number of UDP unicast sessions.
ICMP sessions	Number of ICMP unicast sessions.
UDP-Lite sessions	Number of UDP-Lite unicast sessions.
SCTP sessions	Number of SCTP unicast sessions.
DCCP sessions	Number of DCCP unicast sessions.
RAWIP sessions	Number of Raw IP unicast sessions.
DNS sessions	Number of DNS unicast sessions.
FTP sessions	Number of FTP unicast sessions.
GTP sessions	Number of GTP unicast sessions.
H323 sessions	Number of H.323 unicast sessions.
HTTP sessions	Number of HTTP unicast sessions.
ILS sessions	Number of ILS unicast sessions.
MGCP sessions	Number of MGCP unicast sessions.
NBT sessions	Number of NBT unicast sessions.
PPTP sessions	Number of PPTP unicast sessions.
RSH sessions	Number of RSH unicast sessions.
RTSP sessions	Number of RTSP unicast sessions.
SCCP sessions	Number of SCCP unicast sessions.
SIP sessions	Number of SIP unicast sessions.
SMTP sessions	Number of SMTP unicast sessions.
SQLNET sessions	Number of SQLNET unicast sessions.
SSH sessions	Number of SSH unicast sessions.
TELNET sessions	Number of Telnet unicast sessions.
TFTP sessions	Number of TFTP unicast sessions.
XDMCP sessions	Number of XDMCP unicast sessions.

display session statistics ipv6

Use display session statistics ipv6 to display IPv6 unicast session statistics.

Syntax

In standalone mode:

display session statistics ipv6 [ [ responder ] { application application-name | destination-ip destination-ip | destination-port destination-port | destination-zone destination-zone-name | interface interface-type interface-number | protocol { dccp | dns | ftp | gtp | h323 | http | icmpv6 | ils | mgcp | nbt | pptp | raw-ip | rsh | rtsp | sccp | sctp | sip | smtp | sqlnet | ssh | tcp | telnet | tftp | udp | udp-lite | xdmcp } | security-policy-rule rule-name | source-ip source-ip | source-port source-port | source-zone source-zone-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmpv6-reply | icmpv6-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } | vpn-instance vpn-instance-name } * ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

responder: Displays statistics about IPv6 unicast sessions from the responder to the initiator. If you do not specify this keyword, the command displays statistics about IPv6 unicast sessions from the initiator to the responder.

destination-ip destination-ip: Specifies a destination IPv6 address for a unicast session.

destination-zone destination-zone-name: Specifies a destination security zone by its name, a case-insensitive string of 1 to 31 characters.

interface interface-type interface-num: Specifies an interface by its type and number.

protocol { dccp | dns | ftp | gtp | h323 | http | icmpv6 | ils | mgcp | nbt | pptp | raw-ip | rsh | rtsp | sccp | sctp | sip | smtp | sqlnet | ssh | tcp | telnet | tftp | udp | udp-lite | xdmcp }: Specifies an IPv6 protocol.

source-ip source-ip: Specifies a source IPv6 address for a unicast session.

source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of an IPv6 unicast session. The value range for the source-port argument is 0 to 65535.

source-zone source-zone-name: Specifies a source security zone by its name, a case-insensitive string of 1 to 31 characters.

state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmpv6-reply | icmpv6-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready }: Specifies a protocol state.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays IPv6 unicast session statistics in the public network.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6 unicast session statistics for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# Display statistics for unicast sessions from IPv6 address 100::2.

<Sysname> display session statistics ipv6 source-ip 100::2

CPU 1 on slot 1:

Current sessions: 3

TCP sessions: 0

UDP sessions: 0

ICMPv6 sessions: 3

UDP-Lite sessions: 0

SCTP sessions: 0

DCCP sessions: 0

RAWIP sessions: 0

DNS sessions: 0

FTP sessions: 0

GTP sessions: 0

H323 sessions: 0

HTTP sessions: 0

ILS sessions: 0

MGCP sessions: 0

NBT sessions: 0

PPTP sessions: 0

RSH sessions: 0

RTSP sessions: 0

SCCP sessions: 0

SIP sessions: 0

SMTP sessions: 0

SQLNET sessions: 0

SSH sessions: 0

TELNET sessions: 0

TFTP sessions: 0

XDMCP sessions: 0

# Display statistics for IPv6 unicast TCP sessions.

<Sysname> display session statistics ipv6 protocol tcp

CPU 1 on slot 1:

Current sessions: 3

TCP sessions: 3

Table 17 Command output

Field	Description
Current sessions	Total number of unicast sessions.
TCP sessions	Number of TCP unicast sessions.
UDP sessions	Number of UDP unicast sessions.
ICMPv6 sessions	Number of ICMPv6 unicast sessions.
UDP-Lite sessions	Number of UDP-Lite unicast sessions.
SCTP sessions	Number of SCTP unicast sessions.
DCCP sessions	Number of DCCP unicast sessions.
RAWIP sessions	Number of Raw IP unicast sessions.
DNS sessions	Number of DNS unicast sessions.
FTP sessions	Number of FTP unicast sessions.
GTP sessions	Number of GTP unicast sessions.
H323 sessions	Number of H.323 unicast sessions.
HTTP sessions	Number of HTTP unicast sessions.
ILS sessions	Number of ILS unicast sessions.
MGCP sessions	Number of MGCP unicast sessions.
NBT sessions	Number of NBT unicast sessions.
PPTP sessions	Number of PPTP unicast sessions.
RSH sessions	Number of RSH unicast sessions.
RTSP sessions	Number of RTSP unicast sessions.
SCCP sessions	Number of SCCP unicast sessions.
SIP sessions	Number of SIP unicast sessions.
SMTP sessions	Number of SMTP unicast sessions.
SQLNET sessions	Number of SQLNET unicast sessions.
SSH sessions	Number of SSH unicast sessions.
TELNET sessions	Number of Telnet unicast sessions.
TFTP sessions	Number of TFTP unicast sessions.
XDMCP sessions	Number of XDMCP unicast sessions.

display session statistics multicast

Use display session statistic multicast to display multicast session statistics.

Syntax

In standalone mode:

display session statistics multicast [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display session statistics multicast [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays multicast session statistics for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) Display information about multicast session statistics.

<Sysname> display session statistics multicast

Slot 1:

Current sessions: 0

Session establishment rate: 0/s

History max sessions: 0 Time: 2017-04-25 11:28:00

History max session establishment rate: 0/s Time: 2017-04-25 11:28:00

Received: 0 packets 0 bytes

Sent : 0 packets 0 bytes

Table 18 Command output

Field	Description
Current sessions	Total number of multicast sessions.
Session establishment rate	Rate of multicast session creation.
History max sessions	History statistics of the maximum multicast sessions.
History max session establishment rate	History statistics of the maximum rate at which multicast sessions were created.
Received	Number of received multicast packets and bytes.
Sent	Number of sent multicast packets and bytes.

display session table ipv4

Use display session table ipv4 to display information about IPv4 unicast session entries that match specific criteria.

Syntax

In standalone mode:

display session table ipv4 [ slot slot-number [ cpu cpu-number ] ] [ [ responder ] { application application-name | destination-ip start-destination-ip [ end-destination-ip ] | destination-port destination-port | destination-zone destination-zone-name | interface interface-type interface-number | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | security-policy-rule rule-name | security-policy-rule-id rule-id | source-ip start-source-ip [ end-source-ip ] | source-port source-port | source-zone source-zone-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmp-reply | icmp-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } | vpn-instance vpn-instance-name } * ] [ verbose ]

In IRF mode:

display session table ipv4 [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ [ responder ] { application application-name | destination-ip start-destination-ip [ end-destination-ip ] | destination-port destination-port | destination-zone destination-zone-name | interface interface-type interface-number | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | security-policy-rule rule-name | security-policy-rule-id rule-id | source-ip start-source-ip [ end-source-ip ] | source-port source-port | source-zone source-zone-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmp-reply | icmp-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } | vpn-instance vpn-instance-name } * ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

responder: Displays entries of IPv4 unicast sessions from the responder to the initiator. If you do not specify this keyword, the command displays entries of IPv4 unicast sessions from the initiator to the responder.

destination-ip start-destination-ip [ end-destination-ip ]: Specifies a destination IPv4 address or IPv4 address range for a unicast session. The start destination-ip argument specifies the start destination IPv4 address. The end destination-ip argument specifies the end destination IPv4 address.

destination-port destination-port: Specifies a destination port by its number. The destination-port argument specifies the destination port of a unicast session. The value range for the destination-port argument is 0 to 65535.

destination-zone destination-zone-name: Specifies a destination security zone by its name, a case-insensitive string of 1 to 31 characters.

interface interface-type interface-num: Specifies an interface by its type and number.

protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv4 transport layer protocol, including DCCP, ICMP, Raw IP, SCTP, TCP, UDP, and UDP-Lite.

security-policy-rule-id rule-id: Specifies a security policy rule by its ID in the range of 0 to 4294967290.

source-ip start-source-ip [ end-source-ip ]: Specifies a source IPv4 address or IPv4 address range for a unicast session. The start source-ip argument specifies the start source IPv4 address. The end source-ip argument specifies the end source IPv4 address.

source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of a unicast session. The value range for the source-port argument is 0 to 65535.

source-zone source-zone-name: Specifies a source security zone by its name, a case-insensitive string of 1 to 31 characters.

verbose: Displays detailed information about IPv4 unicast session entries. If you do not specify this keyword, the command displays brief information about IPv4 unicast session entries.

Usage guidelines

If you do not specify any parameters, this command displays all IPv4 unicast session entries.

Examples

# (In standalone mode.) Display brief information about all IPv4 unicast session entries.

<Sysname> display session table ipv4

Slot 1:

Initiator:

Source IP/port: 192.168.1.18/1877

Destination IP/port: 192.168.1.55/22

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/1

Source security zone: Trust

Total sessions found: 1

# (In standalone mode.) Display detailed information about all IPv4 unicast session entries.

<Sysname> display session table ipv4 verbose

Slot 1:

Initiator:

Source IP/port: 192.168.1.18/1877

Destination IP/port: 192.168.1.55/22

DS-Lite tunnel peer:-

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/1

Source security zone: Trust

Responder:

Source IP/port: 192.168.1.55/22

Destination IP/port: 192.168.1.18/1877

DS-Lite tunnel peer:-

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/2

Source security zone: Local

State: TCP_SYN_SENT

FPGA state: TCP_SYN_SENT

Application: SSH

Rule ID: 1

Rule name: test

Start time: 2011-07-29 19:12:36 TTL: 28s

Initiator->Responder: 1 packets 48 bytes

Responder->Initiator: 0 packets 0 bytes

Total sessions found: 1

Table 19 Command output

Field	Description
Initiator	Information about the unicast session from the initiator to the responder.
Responder	Information about the unicast session from the responder to the initiator.
DS-Lite tunnel peer	Address of the DS-Lite tunnel peer. When the unicast session does not belong to any DS-Lite tunnel, this field displays a hyphen (-).
VPN instance/VLAN ID/Inline ID	MPLS L3VPN instance to which the unicast session belongs. VLAN and inline to which the session belongs during Layer 2 forwarding. If a parameter is not specified, a hyphens (-) is displayed for the proper field.
Protocol	Transport layer protocol: · DCCP. · ICMP. · ICMPv6. · Raw IP. · SCTP. · TCP. · UDP. · UDP-Lite. The number in the brackets indicates the protocol number.
Inbound interface	Interface on which packets are received.
Source security zone	Security zone to which the inbound interface belongs. If the inbound interface does not belong to any security zone, this field displays a hyphen (-).
State	Unicast session state.
FPGA state	Logical session state. If the logical session state cannot be obtained, this field displays NA. if hardware fast forwarding is disabled, this field is not displayed.
Application	Application layer protocol, FTP or DNS. If it is an unknown protocol identified by an unknown port, this field displays OTHER.
Rule ID	ID of the security policy rule.
Rule name	Name of the security policy rule.
Start time	Unicast session establishment time.
TTL	Remaining lifetime of the unicast session, in seconds.
Initiator->Responder	Number of packets and bytes from the initiator to the responder.
Responder->Initiator	Number of packets and bytes from the responder to the initiator.
Total sessions found	Total number of found unicast session entries.

display session table ipv6

Use display session table ipv6 to display information about IPv6 unicast session entries that match specific criteria.

Syntax

In standalone mode:

display session table ipv6 [ slot slot-number [ cpu cpu-number ] ] [ [ responder ] { application application-name | destination-ip start-destination-ip [ end-destination-ip ] | destination-port destination-port | destination-zone destination-zone-name | interface interface-type interface-number | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | security-policy-rule rule-name | security-policy-rule-id rule-id | source-ip start-source-ip [ end-source-ip ] | source-port source-port | source-zone source-zone-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmpv6-reply | icmpv6-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } | vpn-instance vpn-instance-name } * ] [ verbose ]

In IRF mode:

display session table ipv6 [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ [ responder ] { application application-name | destination-ip start-destination-ip [ end-destination-ip ] | destination-port destination-port | destination-zone destination-zone-name | interface interface-type interface-number | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | security-policy-rule rule-name | security-policy-rule-id rule-id | source-ip start-source-ip [ end-source-ip ] | source-port source-port | source-zone source-zone-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmpv6-reply | icmpv6-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } | vpn-instance vpn-instance-name } * ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

responder: Displays entries of IPv6 unicast sessions from the responder to the initiator. If you do not specify this keyword, the command displays entries of IPv6 unicast sessions from the initiator to the responder.

destination-ip start-destination-ip [ end-destination-ip ]: Specifies a destination IPv6 address or IPv6 address range for a unicast session. The start destination-ip argument specifies the start destination IPv6 address. The end destination-ip argument specifies the end destination IPv6 address.

destination-zone destination-zone-name: Specifies a destination security zone by its name, a case-insensitive string of 1 to 31 characters.

interface interface-type interface-num: Specifies an interface by its type and number.

protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv6 transport layer protocol, including DCCP, ICMPv6, Raw IP, SCTP, TCP, UDP, and UDP-Lite.

security-policy-rule-id rule-id: Specifies a security policy rule by its ID in the range of 0 to 4294967290.

source-ip start-source-ip [ end-source-ip ]: Specifies a source IPv6 address or IPv6 address range for a unicast session. The start source-ip argument specifies the start source IPv6 address. The end source-ip argument specifies the end source IPv6 address.

source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of a unicast session. The value range for the source-port argument is 0 to 65535.

source-zone source-zone-name: Specifies a source security zone by its name, a case-insensitive string of 1 to 31 characters.

verbose: Displays detailed information about IPv6 unicast session entries. If you do not specify this keyword, the command displays brief information about IPv6 unicast session entries.

Usage guidelines

If you do not specify any parameters, this command displays all IPv6 unicast session entries.

Examples

# (In standalone mode.) Display brief information about all IPv6 unicast session entries.

<Sysname> display session table ipv6

Slot 1:

Initiator:

Source IP/port: 2011::2/58473

Destination IP/port: 2011::8/32768

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: IPV6-ICMP(58)

Inbound interface: GigabitEthernet1/0/1

Source security zone: Trust

Total sessions found: 1

# (In standalone mode.) Display detailed information about all IPv6 unicast session entries.

<Sysname> display session table ipv6 verbose

Slot 1:

Initiator:

Source IP/port: 2011::2/58473

Destination IP/port: 2011::8/32768

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: IPV6-ICMP(58)

Inbound interface: GigabitEthernet1/0/1

Source security zone: Trust

Responder:

Source IP/port: 2011::8/58473

Destination IP/port: 2011::2/33024

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: IPV6-ICMP(58)

Inbound interface: GigabitEthernet1/0/2

Source security zone: Local

State: ICMPV6_REQUEST

FPGA state: ICMPV6_REQUEST

Application: OTHER

Rule ID: 1

Rule name: test

Start time: 2011-07-29 19:23:41 TTL: 55s

Initiator->Responder: 1 packets 104 bytes

Responder->Initiator: 0 packets 0 bytes

Total sessions found: 1

Table 20 Command output

Field	Description
Initiator	Information about the unicast session from the initiator to the responder.
Responder	Information about the unicast session from the responder to the initiator.
DS-Lite tunnel peer	Address of the DS-Lite tunnel peer. When the unicast session is not tunneled by DS-Lite, this field displays a hyphen (-).
VPN instance/VLAN ID/Inline ID	MPLS L3VPN instance to which the unicast session belongs. VLAN and inline to which the unicast session belongs during Layer 2 forwarding. If a parameter is not specified, a hyphens (-) is displayed for the proper field.
Protocol	Transport layer protocol: · DCCP. · ICMP. · ICMPv6. · Raw IP. · SCTP. · TCP. · UDP. · UDP-Lite. The number in the brackets indicates the protocol number.
Inbound interface	Interface on which packets are received.
Source security zone	Security zone to which the inbound interface belongs. If the inbound interface does not belong to any security zone, this field displays a hyphen (-).
State	Unicast session state.
FPGA state	Logical session state. If the logical session state cannot be obtained, this field displays NA. if hardware fast forwarding is disabled, this field is not displayed.
Application	Application layer protocol, FTP or DNS. If it is an unknown protocol identified by an unknown port, this field displays OTHER.
Rule ID	ID of the security policy rule.
Rule name	Name of the security policy rule.
Start time	Unicast session establishment time.
TTL	Remaining lifetime of the unicast session, in seconds.
Initiator->Responder	Number of packets and bytes from the initiator to the responder.
Responder->Initiator	Number of packets and bytes from the responder to the initiator.
Total sessions found	Total number of found unicast session entries.

display session table multicast ipv4

Use display session table multicast ipv4 to display information about IPv4 multicast session entries that match specific criteria.

Syntax

In standalone mode:

display session table multicast ipv4 [ slot slot-number [ cpu cpu-number ] ] [ [ responder ] { destination-ip start-destination-ip [ end-destination-ip ] | destination-port destination-port | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-ip start-source-ip [ end-source-ip ] | source-port source-port } * ] [ verbose ]

In IRF mode:

display session table multicast ipv4 [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ [ responder ] { destination-ip start-destination-ip [ end-destination-ip ] | destination-port destination-port | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-ip start-source-ip [ end-source-ip ] | source-port source-port } * ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

responder: Displays entries of IPv4 multicast sessions from the responder to the initiator. If you do not specify this keyword, the command displays entries of IPv4 multicast sessions from the initiator to the responder.

destination-ip start-destination-ip [ end-destination-ip ]: Specifies a destination IPv4 address or IPv4 address range for a multicast session. The start destination-ip argument specifies the start destination IPv4 address. The end destination-ip argument specifies the end destination IPv4 address.

destination-port destination-port: Specifies a destination port by its number. The destination-port argument specifies the destination port of a multicast session. The value range for the destination-port argument is 0 to 65535.

protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv4 transport layer protocol.

source-ip start-source-ip [ end-source-ip ]: Specifies a source IPv4 address or IPv4 address range for a multicast session. The start source-ip argument specifies the start source IPv4 address. The end source-ip argument specifies the end source IPv4 address.

source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of a multicast session. The value range for the source-port argument is 0 to 65535.

verbose: Displays detailed information about IPv4 multicast session entries. If you do not specify this keyword, the command displays brief information about IPv4 multicast session entries.

Usage guidelines

If you do not specify any parameters, this command displays all IPv4 multicast session entries.

Examples

# (In standalone mode.) Display brief information about all IPv4 multicast session entries.

<Sysname> display session table multicast ipv4

CPU 1 on slot 1:

Inbound initiator:

Source IP/port: 3.3.3.4/1609

Destination IP/port: 232.0.0.1/1025

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: UDP(17)

Inbound interface: GigabitEthernet1/0/1

Outbound interface list:

GigabitEthernet1/0/2

GigabitEthernet1/0/3

Total sessions found: 3

# (In standalone mode.) Display detailed information about all IPv4 multicast session entries.

<Sysname> display session table multicast ipv4 verbose

CPU 1 on slot 1:

Total sessions found: 0

CPU 1 on slot 2:

Inbound initiator:

Source IP/port: 3.3.3.4/1609

Destination IP/port: 232.0.0.1/1025

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: UDP(17)

Inbound responder:

Source IP/port: 232.0.0.1/1025

Destination IP/port: 3.3.3.4/1609

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: UDP(17)

Inbound interface: GigabitEthernet1/0/1

Source security zone: Trust

State: UDP_OPEN

Application: OTHER

Start time: 2014-03-03 15:59:22 TTL: 18s

Initiator->Responder: 1 packets 84 bytes

Outbound initiator:

Source IP/port: 3.3.3.4/1609

Destination IP/port: 232.0.0.1/1025

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: UDP(17)

Outbound responder:

Source IP/port: 232.0.0.1/1025

Destination IP/port: 3.3.3.4/1609

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: UDP(17)

Outbound interface: GigabitEthernet1/0/2

Destination security zone: aaa

State: UDP_OPEN

Application: OTHER

Start time: 2014-03-03 15:59:22 TTL: 18s

Initiator->Responder: 1 packets 84 bytes

Outbound initiator:

Source IP/port: 3.3.3.4/1609

Destination IP/port: 232.0.0.1/1025

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: UDP(17)

Outbound responder:

Source IP/port: 232.0.0.1/1025

Destination IP/port: 3.3.3.4/1609

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: UDP(17)

Outbound interface: GigabitEthernet1/0/3

Destination security zone: bbb

State: UDP_OPEN

Application: OTHER

Start time: 2014-03-03 15:59:22 TTL: 18s

Initiator->Responder: 1 packets 84 bytes

Total sessions found: 3

Table 21 Command output

Field	Description
Inbound initiator	Information about the multicast session from the initiator to the responder on the inbound interface.
Inbound responder	Information about the multicast session from the responder to the initiator on the inbound interface.
Outbound initiator	Information about the multicast session from the initiator to the responder on the outbound interface.
Outbound responder	Information about the multicast session from the responder to the initiator on the outbound interface.
DS-Lite tunnel peer	Address of the DS-Lite tunnel peer. If the multicast session is not tunneled by DS-Lite, this field displays a hyphen (-).
VPN instance/VLAN ID/Inline ID	MPLS L3VPN instance to which the multicast session belongs. VLAN and inline to which the multicast session belongs during Layer 2 forwarding. If a parameter is not specified, a hyphens (-) is displayed for the proper field.
Protocol	Transport layer protocol: · DCCP. · ICMP. · Raw IP. · SCTP. · TCP. · UDP. · UDP-Lite. The number in the brackets indicates the protocol number.
State	Multicast session state.
Application	Application layer protocol, FTP or DNS. If it is an unknown protocol identified by an unknown port, this field displays OTHER.
Start time	Time when the multicast session was created.
TTL	Remaining lifetime of the multicast session, in seconds.
Inbound interface	Inbound interface of the first packet from the initiator to responder.
Outbound interface	Outbound interface of the first packet from the initiator to responder.
Outbound interface list	Outbound interfaces of the first packet from the initiator to responder.
Source security zone	Security zone to which the inbound interface belongs. If the inbound interface does not belong to any security zone, this field displays a hyphen (-).
Destination security zone	Security zone to which the outbound interface belongs. If the outbound interface does not belong to any security zone, this field displays a hyphen (-).
Initiator->Responder	Number of packets and bytes from the initiator to the responder.
Total sessions found	Total number of found multicast session entries.

display session table multicast ipv6

Use display session table multicast ipv6 to display information about IPv6 multicast session entries that match specific criteria.

Syntax

In standalone mode:

display session table multicast ipv6 [ slot slot-number [ cpu cpu-number ] ] [ [ responder ] { destination-ip start-destination-ip [ end-destination-ip ] | destination-port destination-port | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | source-ip start-source-ip [ end-source-ip ] | source-port source-port } * ] [ verbose ]

In IRF mode:

display session table multicast ipv6 [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ [ responder ] { destination-ip start-destination-ip [ end-destination-ip ] | destination-port destination-port | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | source-ip start-source-ip [ end-source-ip ] | source-port source-port } * ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

responder: Displays entries of IPv6 multicast sessions from the responder to the initiator. If you do not specify this keyword, the command displays entries of IPv4 multicast sessions from the initiator to the responder.

destination-ip start-destination-ip [ end-destination-ip ]: Specifies a destination IPv6 address or IPv6 address range for a multicast session. The start destination-ip argument specifies the start destination IPv6 address. The end destination-ip argument specifies the end destination IPv6 address.

protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv6 transport layer protocol.

source-ip start-source-ip [ end-source-ip ]: Specifies a source IPv6 address or IPv6 address range for a multicast session. The start source-ip argument specifies the start source IPv6 address. The end source-ip argument specifies the end source IPv6 address.

source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of a multicast session. The value range for the source-port argument is 0 to 65535.

verbose: Displays detailed information about IPv6 multicast session entries. If you do not specify this keyword, the command displays brief information about IPv6 multicast session entries.

Usage guidelines

If you do not specify any parameters, this command displays all IPv6 multicast session entries.

Examples

# (In standalone mode.) Display brief information about all IPv6 multicast session entries.

<Sysname> display session table multicast ipv6

CPU 1 on slot 1:

Inbound initiator:

Source IP/port: 3::4/1617

Destination IP/port: FF0E::1/1025

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: UDP(17)

Inbound interface: GigabitEthernet1/0/1

Outbound interface list:

GigabitEthernet1/0/2

GigabitEthernet1/0/3

Total sessions found: 3

# (In standalone mode.) Display detailed information about all IPv6 multicast session entries.

<Sysname> display session table multicast ipv6 verbose

CPU 1 on slot 1:

Inbound initiator:

Source IP/port: 3::4/1617

Destination IP/port: FF0E::1/1025

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: UDP(17)

Inbound responder:

Source IP/port: FF0E::1/1025

Destination IP/port: 3::4/1617

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: UDP(17)

Inbound interface: GigabitEthernet1/0/1

Source security zone: Trust

State: UDP_OPEN

Application: OTHER

Start time: 2014-03-03 16:10:58 TTL: 23s

Initiator->Responder: 5 packets 520 bytes

Outbound initiator:

Source IP/port: 3::4/1617

Destination IP/port: FF0E::1/1025

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: UDP(17)

Outbound responder:

Source IP/port: FF0E::1/1025

Destination IP/port: 3::4/1617

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: UDP(17)

Outbound interface: GigabitEthernet1/0/2

Destination security zone: bbb

State: UDP_OPEN

Application: OTHER

Start time: 2014-03-03 16:10:58 TTL: 23s

Initiator->Responder: 5 packets 520 bytes

Outbound initiator:

Source IP/port: 3::4/1617

Destination IP/port: FF0E::1/1025

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: UDP(17)

Outbound responder:

Source IP/port: FF0E::1/1025

Destination IP/port: 3::4/1617

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: UDP(17)

Outbound interface: GigabitEthernet1/0/3

Destination security zone: ccc

State: UDP_OPEN

Application: OTHER

Start time: 2014-03-03 16:10:58 TTL: 23s

Initiator->Responder: 5 packets 520 bytes

Total sessions found: 3

Table 22 Command output

Field	Description
Inbound initiator	Information about the multicast session from the initiator to the responder on the inbound interface.
Inbound responder	Information about the multicast session from the responder to the initiator on the inbound interface.
Outbound initiator	Information about the multicast session from the initiator to the responder on the outbound interface.
Outbound responder	Information about the multicast session from the responder to the initiator on the outbound interface.
DS-Lite tunnel peer	Address of the DS-Lite tunnel peer. If the multicast session is not tunneled by DS-Lite, this field displays a hyphen (-).
VPN instance/VLAN ID/Inline ID	MPLS L3VPN instance to which the multicast session belongs. VLAN and inline to which the multicast session belongs during Layer 2 forwarding. If a parameter is not specified, a hyphens (-) is displayed for the proper field.
Protocol	Transport layer protocol: · DCCP. · ICMPv6. · Raw IP. · SCTP. · TCP. · UDP. · UDP-Lite. The number in the brackets indicates the protocol number.
State	Multicast session state.
Application	Application layer protocol, FTP or DNS. If it is an unknown protocol identified by an unknown port, this field displays OTHER.
Start time	Time when the multicast session was created.
TTL	Remaining lifetime of the multicast session, in seconds.
Inbound interface	Inbound interface of the first packet from the initiator to responder.
Outbound interface	Outbound interface of the first packet from the initiator to responder.
Outbound interface list	Outbound interfaces of the first packet from the initiator to responder.
Source security zone	Security zone to which the inbound interface belongs. If the inbound interface does not belong to any security zone, this field displays a hyphen (-).
Destination security zone	Security zone to which the outbound interface belongs. If the outbound interface does not belong to any security zone, this field displays a hyphen (-).
Initiator->Responder	Number of packets and bytes from the initiator to the responder.
Total sessions found	Total number of found multicast session entries.

display session top-statistics

Use display session top-statistics to display top session statistics.

Syntax

display session top-statistics { last-1-hour | last-24-hours | last-30-days }

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

vsys-admin

vsys-operator

Parameters

last-1-hour: Displays top session statistics in last hour.

last-24-hours: Displays top session statistics in last 24 hours.

last-30-days: Displays top session statistics in last 30 days.

Usage guidelines

This command displays nothing if the top session statistics feature is not enabled. A maximum of ten session items can be displayed.

Examples

# Display top session statistics in last hour.

<Sysname> display session top-statistics last-1-hour

Counting by source addresses:

No. Source address Sessions

1 10.1.2.3 50004302

2 10.1.2.2 40123255

3 10.2.2.10 26664302

4 10.1.2.11 7123255

5 10.1.2.12 424302

6 10.1.2.13 253255

7 10.1.2.14 55302

8 10.1.2.15 50025

9 10.1.2.16 3555

10 10.1.2.1 995

Counting by destination addresses:

No. Destination address Sessions

1 20.1.2.3 50004302

2 20.1.2.2 40123255

3 20.2.2.10 26664302

4 20.1.2.11 7123255

5 20.1.2.12 424302

6 20.1.2.13 325325

7 20.1.2.14 55530

8 20.1.2.15 50025

9 20.1.2.16 3555

10 20.1.2.1 995

Table 23 Command output

Field	Description
Counting by source addresses	Top session statistics based on source addresses.
Counting by destination addresses	Top session statistics based on destination addresses.
No.	Ranking number.
Source address	Source IP address of the sessions.
Destination address	Destination IP address of the sessions.
Sessions	Total number of sessions.

Related commands

session top-statistics enable

reset session relation-table

Use reset session relation-table to clear relation entries.

Syntax

In standalone mode:

reset session relation-table [ ipv4 | ipv6 ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset session relation-table [ ipv4 | ipv6 ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

ipv4: Specifies IPv4 relation entries.

ipv6: Specifies IPv6 relation entries.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears relation entries for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears relation entries for all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If you do not specify any parameters, this command clears all relation entries.

Examples

# Clear all IPv4 relation entries.

<Sysname> reset session relation-table ipv4

Related commands

display session relation-table

reset session statistics

Use reset session statistics to clear unicast session statistics.

Syntax

In standalone mode:

reset session statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset session statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears unicast session statistics for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

This command clears only statistics for the Received XXX fields in the display session statistics command output, where XXX is the protocol type. For more information, see the display session statistics command.

Examples

# Clear all unicast session statistics.

<Sysname> reset session statistics

Related commands

display session statistics

reset session statistics multicast

Use reset session statistics multicast to clear multicast session statistics.

Syntax

In standalone mode:

reset session statistics multicast [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset session statistics multicast [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears multicast session statistics for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# Clear all multicast session statistics.

<Sysname> reset session statistics multicast

Related commands

display session statistics multicast

reset session table

Use reset session table to clear IP unicast session entries.

Syntax

In standalone mode:

reset session table [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset session table [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears unicast session entries for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# Clear all unicast session entries.

<Sysname> reset session table

Related commands

display session table ipv4

display session table ipv6

reset session table ipv4

Use reset session table ipv4 to clear information about IPv4 unicast session entries that match specific criteria.

Syntax

In standalone mode:

reset session table ipv4 [ slot slot-number [ cpu cpu-number ] ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]

In IRF mode:

reset session table ipv4 [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]

Views

User view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears information for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

source-ip source-ip: Specifies a source IPv4 address. The source-ip argument specifies the source IPv4 address of a unicast session from the initiator to the responder.

destination-ip destination-ip: Specifies a destination IPv4 address. The destination-ip argument specifies the destination IPv4 address of a unicast session from the initiator to the responder.

protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv4 transport layer protocol, including DCCP, ICMP, Raw IP, SCTP, TCP, UDP, and UDP-Lite.

source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of a unicast session from the initiator to the responder. The value range for the source-port argument is 0 to 65535.

destination-port destination-port: Specifies a destination port by its number. The destination-port argument specifies the destination port of a unicast session from the initiator to the responder. The value range for the destination-port argument is 0 to 65535.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you want to clear IPv4 unicast session entries on the public network, do not specify this option.

Usage guidelines

If you do not specify any parameters, this command clears all IPv4 unicast session entries on the public network.

Examples

# Clear all IPv4 unicast session entries.

<Sysname> reset session table ipv4

# Clear the IPv4 unicast session entries with the source IP address of 10.10.10.10.

<Sysname> reset session table ipv4 source-ip 10.10.10.10

Related commands

display session table ipv4

reset session table ipv6

Use reset session table ipv6 to clear information about IPv6 unicast session entries that match the specified criteria.

Syntax

In standalone mode:

reset session table ipv6 [ slot slot-number [ cpu cpu-number ] ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]

In IRF mode:

reset session table ipv6 [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]

Views

User view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears information for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

source-ip source-ip: Specifies a source IPv6 address. The source-ip argument specifies the source IPv6 address of a unicast session from the initiator to the responder.

destination-ip destination-ip: Specifies a destination IPv6 address. The destination-ip argument specifies the destination IPv6 address of a unicast session from the initiator to the responder.

protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv6 transport layer protocol, including DCCP, ICMPv6, Raw IP, SCTP, TCP, UDP, and UDP-Lite.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you want to clear IPv6 unicast session entries on the public network, do not specify this option.

Usage guidelines

If you do not specify any parameters, this command clears all IPv6 unicast session entries on the public network.

Examples

# Clear all IPv6 unicast session entries.

<Sysname> reset session table ipv6

# Clear the IPv6 unicast session entries with the source IP address of 2011::0002.

<Sysname> reset session table ipv6 source-ip 2011::0002

Related commands

display session table ipv6

reset session table multicast

Use reset session table multicast to clear IP multicast session entries.

Syntax

In standalone mode:

reset session table multicast [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset session table multicast [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears multicast session entries for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# Clear all multicast session entries.

<Sysname> reset session table multicast

Related commands

display session table multicast ipv4

display session table multicast ipv6

reset session table multicast ipv4

Use reset session table multicast ipv4 to clear information about IPv4 multicast session entries that match specific criteria.

Syntax

In standalone mode:

reset session table multicast ipv4 [ slot slot-number [ cpu cpu-number ] ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]

In IRF mode:

reset session table multicast ipv4 [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]

Views

User view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears information for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

source-ip source-ip: Specifies a source IPv4 address. The source-ip argument specifies the source IPv4 address of a multicast session from the initiator to the responder.

destination-ip destination-ip: Specifies a destination IPv4 address. The destination-ip argument specifies the destination IPv4 address of a multicast session from the initiator to the responder.

protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv4 transport layer protocol, including DCCP, ICMP, Raw IP, SCTP, TCP, UDP, and UDP-Lite.

source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of a multicast session from the initiator to the responder. The value range for the source-port argument is 0 to 65535.

destination-port destination-port: Specifies a destination port by its number. The destination-port argument specifies the destination port of a multicast session from the initiator to the responder. The value range for the destination-port argument is 0 to 65535.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you want to clear IPv4 multicast session entries on the public network, do not specify this option.

Usage guidelines

If you do not specify any parameters, this command clears all IPv4 multicast session entries on the public network.

Examples

# Clear all IPv4 multicast session entries.

<Sysname> reset session table multicast ipv4

# Clear the IPv4 multicast session entries with the source IP address of 10.10.10.10.

<Sysname> reset session table multicast ipv4 source-ip 10.10.10.10

Related commands

display session table multicast ipv4

reset session table multicast ipv6

Use reset session table multicast ipv6 to clear information about IPv6 multicast session entries that match specific criteria.

Syntax

In standalone mode:

reset session table multicast ipv6 [ slot slot-number [ cpu cpu-number ] ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]

In IRF mode:

reset session table multicast ipv6 [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]

Views

User view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears information for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

source-ip source-ip: Specifies a source IPv6 address. The source-ip argument specifies the source IPv6 address of a multicast session from the initiator to the responder.

destination-ip destination-ip: Specifies a destination IPv6 address. The destination-ip argument specifies the destination IPv6 address of a multicast session from the initiator to the responder.

protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv6 transport layer protocol, including DCCP, ICMPv6, Raw IP, SCTP, TCP, UDP, and UDP-Lite.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you want to clear IPv6 multicast session entries on the public network, do not specify this option.

Usage guidelines

If you do not specify any parameters, this command clears all IPv6 multicast session entries on the public network.

Examples

# Clear all IPv6 multicast session entries.

<Sysname> reset session table multicast ipv6

# Clear the IPv6 multicast session entries with the source IP address of 2011::0002.

<Sysname> reset session table multicast ipv6 source-ip 2011::0002

Related commands

display session table multicast ipv6

session aging-time application

Use session aging-time application to set the aging time for sessions of an application layer protocol or an application.

Use undo session aging-time application to restore the default. If you do not specify an application layer protocol or an application, this command restores the default aging time for all sessions of the supported application layer protocols and applications.

Syntax

session aging-time application application-name time-value

undo session aging-time application [ application-name ]

Default

The aging time is 1200 seconds for sessions of application layer protocols or applications except for the following sessions:

· BOOTPC sessions: 120 seconds.

· BOOTPS sessions: 120 seconds.

· DNS sessions: 30 seconds.

· FTP sessions: 3600 seconds.

· FTP-DATA sessions: 240 seconds.

· GPRS-DATA sessions: 60 seconds.

· GPRS-SIG sessions: 60 seconds.

· GTP-CONTROL sessions: 60 seconds.

· GTP-USER sessions: 60 seconds.

· H.225 sessions: 3600 seconds.

· H.245 sessions: 3600 seconds.

· HTTPS sessions: 600 seconds.

· ILS sessions: 3600 seconds.

· L2TP sessions: 120 seconds.

· MGCP-CALLAGENT sessions: 60 seconds.

· MGCP-GATEWAY sessions: 60 seconds.

· NETBIOS-DGM sessions: 3600 seconds.

· NETBIOS-NS sessions: 3600 seconds.

· NETBIOS-SSN sessions: 3600 seconds.

· NTP sessions: 120 seconds.

· PPTP sessions: 3600 seconds.

· QQ sessions: 120 seconds.

· RAS sessions: 300 seconds.

· RIP sessions: 120 seconds.

· RSH sessions: 60 seconds.

· RTSP session: 3600 seconds.

· SCCP sessions: 3600 seconds.

· SIP sessions: 300 seconds.

· SNMP sessions: 120 seconds.

· SNMPTRAP sessions: 120 seconds.

· SQLNET sessions: 600 seconds.

· STUN sessions: 600 seconds.

· SYSLOG sessions: 120 seconds.

· TACACS-DS sessions: 120 seconds.

· TFTP sessions: 60 seconds.

· WHO sessions: 120 seconds.

· XDMCP sessions: 3600 seconds.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

application-name: Specifies an application layer protocol or an application by its name, a case-insensitive string of 1 to 63 characters. Valid characters can be digits, letters, hyphens (-), and underscores (_). The names invalid and other are not allowed. The application layer protocol or application must exist on the device.

time-value: Specifies the aging time in seconds. The value range 1 to 100000.

Usage guidelines

This command sets the aging time for stable sessions of the specified application layer protocols or applications. For TCP sessions, the stable state is ESTABLISHED. For UDP sessions, the stable state is READY.

For sessions of application layer protocols or applications that are not supported by this command, the aging time is set by the session aging-time state command. For persistent sessions, the aging time is set by the session persistent acl command.

Supported application layer protocols or applications specified in this command depend on the APR module. For information about APR, see Security Configuration Guide.

Examples

# Set the aging time for FTP sessions to 1800 seconds.

<Sysname> system-view

[Sysname] session aging-time application ftp 1800

# Set the aging time for 126WebEmail sessions to 1800 seconds.

<Sysname> system-view

[Sysname] session aging-time application 126WebEmail 1800

Related commands

display session aging-time application

nbar application

port-mapping

session aging-time state

session persistent acl

session aging-time state

Use session aging-time state to set the aging time for the sessions in a protocol state.

Use undo session aging-time state to restore the default for the sessions in a protocol state. If you do not specify a protocol state, this command restores all aging time for sessions in different protocol states to the default.

Syntax

session aging-time state { fin | icmp-reply | icmp-request | icmpv6-reply | icmpv6-request | rawip-open | rawip-ready | syn | tcp-close | tcp-est | tcp-time-wait | udp-open | udp-ready } time-value

Default

The aging time for sessions in different protocol states is as follows:

· FIN_WAIT: 30 seconds.

· ICMP-REPLY: 30 seconds.

· ICMP-REQUEST: 60 seconds.

· ICMPv6-REPLY: 30 seconds.

· ICMPv6-REQUEST: 60 seconds.

· RAWIP-OPEN: 30 seconds.

· RAWIP-READY: 60 seconds.

· TCP SYN-SENT and SYN-RCV: 30 seconds.

· TCP-CLOSE: 2 seconds.

· TCP ESTABLISHED: 3600 seconds.

· TCP TIME-WAIT: 2 seconds.

· UDP-OPEN: 30 seconds.

· UDP-READY: 60 seconds.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

fin: Specifies the TCP FIN_WAIT state.

icmp-reply: Specifies the ICMP REPLY state.

icmp-request: Specifies the IGMP REQUEST state.

icmpv6-reply: Specifies the ICMPv6 REPLY state.

icmpv6-request: Specifies the IGMPv6 REQUEST state.

rawip-open: Specifies the RAWIP-OPEN state.

rawip-ready: Specifies the RAWIP-READY state.

syn: Specifies the TCP SYN-SENT and SYN-RCV states.

tcp-close: Specifies the TCP CLOSE state.

tcp-est: Specifies the TCP ESTABLISHED state.

tcp-time-wait: Specifies the TCP TIME-WAIT state.

udp-open: Specifies the UDP OPEN state.

udp-ready: Specifies the UDP READY state.

time-value: Specifies the aging time in seconds. For the TCP CLOSE and TCP TIME-WAIT states, the value range is 0 to 100000. For other states, the value range is 1 to 100000. If the device is installed with service modules that support hardware fast forwarding, the value range is 0 to 63 for the TCP CLOSE state.

Usage guidelines

This command sets the aging time for stable sessions of the application layer protocols that are not supported by the session aging-time application command. For persistent sessions, the aging time is set by the session persistent acl command.

Examples

# Set the aging time for TCP sessions in SYN-SENT and SYN-RCV states to 60 seconds.

<Sysname> system-view

[Sysname] session aging-time state syn 60

Related commands

display session aging-time state

session aging-time application

session persistent acl

session alarm rate-abrupt enable

Use session alarm rate-abrupt enable to enable alarms for abrupt session creation rate changes.

Use undo session alarm rate-abrupt enable to disable alarms for abrupt session creation rate changes.

Syntax

session alarm rate-abrupt enable

undo session alarm rate-abrupt enable

Default

Alarms are disabled for abrupt session creation rate changes.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This command enables the device to generate alarms for abrupt increase or drop in the session creation rate when the alarm thresholds for abrupt session creation rate changes are crossed.

Examples

# Enable alarms for abrupt session creation rate changes.

<Sysname> system-view

[Sysname] session alarm rate-abrupt enable

Related commands

session alarm rate-abrupt threshold

Use session alarm rate-abrupt threshold to set the alarm thresholds for abrupt session creation rate changes.

Use undo session alarm rate-abrupt threshold to restore the default.

Syntax

session alarm rate-abrupt threshold threshold-value [ base-threshold base-value ]

undo session alarm rate-abrupt threshold

Default

The session creation rate change threshold is 20%, and the base session creation rate threshold is 10%.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

threshold-value: Sets the session creation rate change threshold in percentage. The value range for this argument is 1 to 100.

base-threshold base-value: Sets the base session creation rate threshold in percentage. The value range for this argument is 1 to 100. If you do not specify this option, the default setting applies.

Usage guidelines

Non-default vSystems do not support this command.

With alarms enabled for abrupt session creation rate changes, the system collects the session creation rate at an interval of 10 seconds and checks whether the following indicators reach the corresponding alarm thresholds:

· Session creation rate change in percentage—Obtained by dividing the difference between the session creation rates at the beginning and end of a collection interval by the session creation rate at the beginning of the collection interval.

· Base session creation rate in percentage—Obtained by dividing the session creation rate at the beginning of a collection interval by 100000.

If both of the following conditions are met in a detection interval, the system generates an alarm for the abrupt change of the session creation rate:

· The session creation rate change threshold is reached.

· The base session creation rate threshold is crossed.

Examples

# Set the session creation rate change threshold to 30%.

<Sysname> system-view

[Sysname] session alarm rate-abrupt threshold 30

Related commands

session alarm rate-abrupt enable

session alarm try-rate-abrupt enable

Use session alarm try-rate-abrupt enable to enable alarms for abrupt session attempt rate changes.

Use undo session alarm try-rate-abrupt enable to disable alarms for abrupt session attempt rate changes.

Syntax

session alarm try-rate-abrupt enable

undo session alarm try-rate-abrupt enable

Default

Alarms are disabled for abrupt session attempt rate changes.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This command enables the device to generate alarms for abrupt increase or drop in the session creation attempt rate when the alarm thresholds for abrupt session attempt rate changes are reached.

Examples

# Enable alarms for abrupt session attempt rate changes.

<Sysname> system-view

[Sysname] session alarm try-rate-abrupt enable

Related commands

session alarm try-rate-abrupt threshold

Use session alarm try-rate-abrupt threshold to set the alarm thresholds for abrupt session attempt rate changes.

Use undo session alarm try-rate-abrupt threshold to restore the default.

Syntax

session alarm try-rate-abrupt threshold threshold-value [ base-threshold base-value ]

undo session alarm try-rate-abrupt threshold

Default

The session attempt rate change threshold is 20%, and the base session attempt rate threshold is 10%.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

threshold-value: Sets the session attempt rate change threshold in percentage. The value range for this argument is 1 to 100.

base-threshold base-value: Sets the base session attempt rate threshold in percentage. The value range for this argument is 1 to 100. If you do not specify this option, the default setting applies.

Usage guidelines

Non-default vSystems do not support this command.

With alarms enabled for abrupt session attempt rate changes, the system collects the session creation attempt rate at an interval of 10 seconds and checks whether the following indicators reach the corresponding alarm thresholds:

· Session attempt rate change in percentage—Obtained by dividing the difference between the session creation attempt rates at the beginning and end of a collection interval by the session creation attempt rate at the beginning of the collection interval.

· Base session attempt rate in percentage—Obtained by dividing the session creation attempt rate at the beginning of a collection interval by 100000.

If both of the following conditions are met in a detection interval, the system generates an alarm for the abrupt change of the session creation attempt rate:

· The session attempt rate change threshold is reached.

· The base session attempt rate threshold is crossed.

Examples

# Set the session attempt rate change threshold to 30%.

<Sysname> system-view

[Sysname] session alarm try-rate-abrupt threshold 30

Related commands

session alarm try-rate-abrupt enable

session alarm usage-abrupt enable

Use session alarm usage-abrupt enable to enable alarms for abrupt session table usage changes.

Use undo session alarm usage-abrupt enable to disable alarms for abrupt session table usage changes.

Syntax

session alarm usage-abrupt enable

undo session alarm usage-abrupt enable

Default

Alarms are disabled for abrupt session table usage changes.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This command enables the device to generate alarms for abrupt increase or drop in the session table usage when the alarm thresholds for abrupt session table usage changes are reached.

Examples

# Enable alarms for abrupt session table usage changes.

<Sysname> system-view

[Sysname] session alarm usage-abrupt enable

Related commands

session alarm usage-abrupt threshold

Use session alarm usage-abrupt threshold to set the alarm thresholds for abrupt session table usage changes.

Use undo session alarm usage-abrupt threshold to restore the default.

Syntax

session alarm usage-abrupt threshold threshold-value [ base-threshold base-value ]

undo session alarm usage-abrupt threshold

Default

The session table usage change threshold is 20%, and the base session table usage threshold is 10%.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

threshold-value: Sets the session table usage change threshold in percentage. The value range for this argument is 1 to 100.

base-threshold base-value: Sets the base session table usage threshold in percentage. The value range for this argument is 1 to 100. If you do not specify this option, the default setting applies.

Usage guidelines

Non-default vSystems do not support this command.

With alarms enabled for abrupt session table usage changes, the system collects the session table usage at an interval of 10 seconds and checks whether the following indicators reach the corresponding alarm thresholds:

· Session table usage change in percentage—Obtained by dividing the difference between the session entry counts at the beginning and end of a collection interval by the session entry count at the beginning of the collection interval.

· Base session table usage in percentage—Obtained by dividing the session entry count at the beginning of a collection interval by the supported maximum number of session entries.

If both of the following conditions are met in a detection interval, the system generates an alarm for the abrupt change of the session table usage:

· The session table usage change threshold is reached.

· The base session table usage threshold is crossed.

Examples

# Set the session table usage change threshold to 30%.

<Sysname> system-view

[Sysname] session alarm usage-abrupt threshold 30

Related commands

session alarm usage-abrupt enable

session alg fragment

Use session alg fragment to enable ALG to process fragments.

Use undo session alg fragment to disable ALG from processing fragments.

Syntax

session alg fragment sip

undo session alg fragment sip

Default

ALG does not process fragments.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

sip: Specifies SIP fragments.

Usage guidelines

Non-default vSystems do not support this command.

This command enables ALG to process fragments of specified protocols. In the current software version, ALG can process only SIP fragments.

Examples

# Enable ALG to process SIP fragments.

<Sysname> system

[Sysname] session alg fragment sip

session dual-active enable

Use session dual-active enable to enable session dual-active mode.

Use undo session dual-active enable to disable session dual-active mode.

Syntax

session dual-active enable

undo session dual-active enable

Default

Session dual-active mode is disabled. The device is operating in session active/standby mode.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

In a hot backup system operating in session active/standby mode, only one device processes security services. Session dual-active mode increases load capacity of the system by enabling both devices to process security services.

Examples

# Enable session dual-active mode.

<Sysname> system-view

[Sysname] session dual-active enable

Related commands

session synchronization enable

session fast-drop aging-time

Use session fast-drop aging-time to set the aging time for deny sessions.

Use undo session fast-drop aging-time to restore the default.

Syntax

session fast-drop aging-time time-value

undo session fast-drop aging-time

Default

The aging time for deny sessions is 3 seconds.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

time-value: Specifies the aging time in seconds. The value range 1 to 3.

Usage guidelines

Non-default vSystems do not support this command.

The system deletes deny sessions based on the deny session aging time. The deny session aging time is not refreshed when packets match deny sessions.

Examples

# Set the aging time for deny sessions to 1 second.

<Sysname> system-view

[Sysname] session fast-drop aging-time 1

Related commands

session fast-drop aspf enable

session fast-drop enable

Use session fast-drop enable to enable the deny session feature for modules.

Use undo session fast-drop enable to disable the deny session feature for modules.

Syntax

session fast-drop { aspf | connection-limit } * enable

undo session fast-drop { aspf | connection-limit } * enable

Default

Hardware platform	Module type	Default
M9006 M9010 M9014	Blade IV firewall module	Enabled
	Blade V firewall module	Enabled
	NAT module	Disabled
	Application delivery engine (ADE) module	Disabled
	Anomaly flow cleaner (AFC) module	Disabled
M9010-GM	Encryption module	Disabled
M9016-V	Blade V firewall module	Enabled
M9008-S M9012-S	Blade IV firewall module	Enabled
	Application delivery engine (ADE) module	Disabled
	Intrusion prevention service (IPS) module	Disabled
	Video network gateway module	Disabled
	Anomaly flow cleaner (AFC) module	Disabled
M9008-S-V	Blade IV firewall module	Enabled
M9000-AI-E4	Blade V firewall module	Disabled
M9000-AI-E8	Blade V firewall module	Enabled
M9000-AI-E8	Application delivery engine (ADE) module	Disabled
M9000-AI-E16	Blade V firewall module	Enabled
M9000-X06 M9000-X10	Blade VI firewall module	Enabled
M9000-AI-X06 M9000-AI-X10	Blade VI firewall module	Enabled

‌

Views

System view

Parameters

aspf: Specifies the ASPF module.

connection-limit: Specifies the connection limit module.

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

The deny session feature allows the device to create sessions for dropped packets. These sessions are called deny sessions. To improve forwarding performance, the device drops all packets that match deny sessions.

The device generates deny sessions only for the packets dropped by the ASPF or connection limit module.

Examples

# Enable the deny session feature for ASPF.

<Sysname> system-view

[Sysname] session fast-drop aspf enable

Related commands

display session fast-drop table ipv4

display session fast-drop table ipv6

session fast-drop hardware-fast-forwarding

Use session fast-drop hardware-fast-forwarding to enable hardware fast forwarding for deny sessions.

Use undo session fast-drop hardware-fast-forwarding to disable hardware fast forwarding for deny sessions.

Syntax

session fast-drop hardware-fast-forwarding

undo session fast-drop hardware-fast-forwarding

Default

Hardware platform	Module type	Default
M9006 M9010 M9014	Blade IV firewall module	Enabled
	Blade V firewall module	Enabled
	NAT module	Disabled
M9010-GM	Encryption module	Disabled
M9016-V	Blade V firewall module	Enabled
M9008-S M9012-S	Blade IV firewall module	Enabled
	Intrusion prevention service (IPS) module	Disabled
	Video network gateway module	Disabled
M9008-S-V	Blade IV firewall module	Enabled
M9000-AI-E4	Blade V firewall module	Disabled
M9000-AI-E8	Blade V firewall module	Enabled
M9000-AI-E16	Blade V firewall module	Enabled
M9000-X06 M9000-X10	Blade VI firewall module	Enabled
M9000-AI-X06 M9000-AI-X10	Blade VI firewall module	Enabled

‌

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

Hardware fast forwarding for deny sessions enables the device to issue deny session entries to chips and perform fast packet dropping based on those entries.

This feature takes effect only when both the deny session and hardware fast forwarding features are enabled. For more information about hardware fast forwarding, see Layer 3—IP Services Configuration Guide.

As a best practice, disable hardware fast forwarding for deny sessions when you troubleshoot problems on forwarding chips.

Examples

# Enable hardware fast forwarding for deny sessions.

<Sysname> system

[Sysname] session fast-drop hardware-fast-forwarding

Related commands

hardware fast-forwarding enable (Layer 3—IP Services Command Reference)

session fast-drop enable

session fast-drop resource-ratio

Use session fast-drop resource-ratio to set the maximum ratio of deny sessions to all sessions.

Use undo session fast-drop resource-ratio to restore the default.

Syntax

session fast-drop resource-ratio ratio

undo session fast-drop resource-ratio

Default

The maximum ratio of deny sessions to all sessions is 50‰.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

ratio: Specifies the maximum ratio of deny sessions to all sessions, in permillage. The value range for this argument is 1 to 100.

Usage guidelines

Non-default vSystems do not support this command.

When the ratio of deny session entries reaches the maximum ratio set by using this command, the device stops generating deny sessions.

Examples

# Set the maximum ratio of deny sessions to all sessions to 1‰.

<Sysname> system-view

[Sysname] session fast-drop resource-ratio 1

Related commands

session fast-drop aspf enable

session fast-drop top-statistics enable

Use session fast-drop top-statistics enable to enable the top deny session statistics feature.

Use undo session fast-drop top-statistics enable to disable the top deny session statistics feature.

Syntax

session fast-drop top-statistics enable

undo session fast-drop top-statistics enable

Default

The top deny session statistics feature is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This command collects the number of deny sessions for session-based services and ranks the deny sessions by source address and by destination address.

To display the top deny session statistics, use the display session fast-drop top-statistics command.

Examples

# Enable the top deny session statistics feature.

<Sysname> system-view

[Sysname] session fast-drop top-statistics enable

Related commands

display session fast-drop top-statistics

session fast-drop enable

session flow-redirect enable

Use session flow-redirect enable to enable session flow redirection.

Use undo session flow-redirect enable to disable session flow redirection.

Syntax

session flow-redirect enable

undo session flow-redirect enable

Default

Session flow redirection is disabled. Flows are redirected by OpenFlow entries.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This feature ensures that packets and return packets of a data flow can be correctly processed when they are forwarded to different security modules. After this feature is enabled, the system immediately synchronizes the session information created for the packets to the security module where return packets are processed. When the sessions for packets are deleted, the synchronized session information in other security modules will be deleted accordingly.

Typically, the system uses OpenFlow entries for packet forwarding to ensure that packets and return packets of a data flow can be processed in the same security module. The number of OpenFlow entries supported by the device is limited. When the upper limit is reached, packets and return packets of a data flow might be forwarded to different security modules, which causes packet processing failures. To resolve this problem, disable OpenFlow entry generation on service modules and enable session flow redirection.

For this feature to take effect, make sure the OpenFlow entry generation by service modules is disabled. For information about disabling OpenFlow entry generation by service modules, see configuration guides of related service modules.

When both session flow redirection and hardware fast forwarding are enabled, the device does not issue session entries to hardware chips of security modules. As a result, hardware fast forwarding does not take effect on security modules. To use hardware fast forwarding and session flow redirection together, you must also enable hardware fast forwarding for session flow redirection by using the session flow-redirect hardware-fast-forwarding command. For information about hardware fast forwarding, see fast forwarding in Layer 3—IP Services Configuration Guide.

Examples

# Enable session flow redirection.

<Sysname> system-view

[Sysname] session flow-redirect enable

Related commands

display session table ipv4

display session table ipv6

session flow-redirect hardware-fast-forwarding

undo nat flow-redirect all (NAT Command Reference)

session flow-redirect hardware-fast-forwarding

Use session flow-redirect hardware-fast-forwarding to enable hardware fast forwarding for session flow redirection.

Use undo session flow-redirect hardware-fast-forwarding to disable hardware fast forwarding for session flow redirection.

Syntax

session flow-redirect hardware-fast-forwarding

undo session flow-redirect hardware-fast-forwarding

Default

Hardware fast forwarding is disabled for session flow redirection.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This command enables the device to issue the session entry created for the first packet of a flow to hardware chips to speed up forwarding of subsequent traffic of the flow.

This command takes effect only when both session flow redirection and hardware fast forwarding are enabled. For more information about hardware fast forwarding, see Layer 3—IP Services Configuration Guide.

You can disable hardware fast forwarding when you troubleshoot problems on hardware chips.

Examples

# Enable hardware fast forwarding for session flow redirection.

<Sysname> system-view

[Sysname] session flow-redirect hardware-fast-forwarding

Related commands

hardware fast-forwarding enable (Layer 3—IP Services Command Reference)

session flow-redirect enable

session hotbackup-mode

Use session hotbackup-mode to configure the load sharing mode for session hot backup.

Use undo session hotbackup-mode to restore the default.

Syntax

session hotbackup-mode { per-flow | per-packet }

undo session hotbackup-mode

Default

The load sharing mode for session hot backup is per-packet mode.

Views

System view

Predefined user roles

network-admin

mdc-admin

vsys-admin

Parameters

per-flow: Specifies the per-flow mode.

per-packet: Specifies the per-packet mode.

Usage guidelines

In a Layer 3 dual-active network where hot backup collaborates with routing, you can execute the ip load-sharing mode command to configure the load sharing mode for IP packet forwarding on uplink and downlink devices. This ensures balanced processing of services between two hot backup member devices. To ensure load sharing of session entries between two hot backup member devices, you must configure the load sharing mode for session hot backup. Make sure the specified load sharing mode is the same as that specified by the ip load-sharing mode command.

This command takes effect in only RBM dual-active networks. Make sure both member devices are configured with the same load sharing mode for session hot backup.

Examples

# Configure the load sharing mode for session hot backup as the per-flow mode.

<Sysname> system-view

[Sysname] session hotbackup-mode per-flow

Related commands

hot-backup enable (High Availability Command Reference)

ip load-sharing mode (Layer 3–IP Services Command Reference)

session synchronization enable

session dual-active enable

session log { bytes-active | packets-active }

Use session log { bytes-active | packets-active } to set a threshold for traffic-based logging.

Use undo session log { bytes-active | packets-active } to restore the default.

Syntax

session log { bytes-active bytes-value | packets-active packets-value }

undo session log { bytes-active | packets-active }

Default

No threshold is set for traffic-based logging.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

bytes-value: Specifies the byte-based threshold in the range of 1 to 100000 MB.

packets-value: Specifies the packet-based threshold in the range of 1 to 100000 mega-packets.

Usage guidelines

For this command to take effect, make sure the session statistics collection for software fast forwarding feature is enabled.

If you set both the traffic-based and time-based logging, the device outputs a session log when whichever is reached. After outputting a session log, the device resets the traffic counter and restarts the interval for the session.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the device to output session logs on a per-10-mega-packet basis.

<Sysname> system-view

[Sysname] session statistics enable

[Sysname] session log packets-active 10

Related commands

session log enable

session statistics enable

session log enable

Use session log enable to enable session logging.

Use undo session log enable to disable session logging.

Syntax

session log enable { ipv4 | ipv6 } [ acl acl-number ] { inbound | outbound }

undo session log enable { ipv4 | ipv6 } [ acl acl-number ] { inbound | outbound }

Default

Session logging is disabled.

Views

Interface view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

ipv4: Logs IPv4 sessions.

ipv6: Logs IPv6 sessions.

acl acl-number: Specifies an ACL by its number in the range of 2000 to 3999. If you do not specify an ACL, this command enables session logging for all IPv4 or IPv6 sessions on the interface.

inbound: Specifies the inbound direction.

outbound: Specifies the outbound direction.

Usage guidelines

If you do not specify the inbound or the outbound keyword, this command enables session logging on both directions.

A maximum of one IPv4 ACL and one IPv6 ACL can be applied to each direction.

After session logging is enabled, the device outputs session logs as follows:

· Outputs a session log when the specified traffic threshold or interval is reached.

· Outputs a session log when a session entry is created or removed only if the logging for session creation or deletion is enabled.

The session logging feature must work with the flow log or fast log output feature to generate session logs. Session logs can be output in flow log or fast log output format. By default, they are output in flow log format. For information about flow log and fast log output, see Network Management and Monitoring.

Examples

# Enable IPv4 session logging in the inbound direction of GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] session log flow-begin

[Sysname] session log flow-end

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] session log enable ipv4 inbound

# Enable session logging on GigabitEthernet 1/0/2 for IPv4 sessions that match ACL 2050 in the outbound direction.

<Sysname> system-view

[Sysname] session log flow-begin

[Sysname] session log flow-end

[Sysname] interface gigabitethernet 1/0/2

[Sysname-GigabitEthernet1/0/2] session log enable ipv4 acl 2050 outbound

# Enable session logging on GigabitEthernet 1/0/3 for IPv6 sessions that match ACL 2050 in the outbound direction.

<Sysname> system-view

[Sysname] session log flow-begin

[Sysname] session log flow-end

[Sysname] interface gigabitethernet 1/0/3

[Sysname-GigabitEthernet1/0/3] session log enable ipv6 acl 2050 outbound

Related commands

session log bytes-active

session log flow-begin

session log flow-end

session log packets-active

session log time-active

session log redirection-by-port

Use session log redirection-by-port to specify application port numbers for session log redirection.

Use undo session log redirection-by-port to delete application port numbers for session log redirection.

Syntax

session log redirection-by-port { port-value } &<1-32>

undo session log redirection-by-port [ port-value ] &<1-32>

Default

No application port number is specified for session log redirection.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

port-value: Specifies port numbers in the range of 1 to 65535. You can specify a maximum of 32 port numbers. If you do not specify this argument when using the undo session log redirection-by-port command, the command clears all application port numbers for session log redirection.

Usage guidelines

Non-default vSystems do not support this command.

In a network environment using traffic probes, devices that forward traffic mirror the traffic to the probe device to generate session logs. However, the mirrored traffic is not chronological. For example, if the probe device receives the response packet before the request packet, the source and destination information in the generated session log might be reversed.

To address this issue, you can configure application port numbers on the probe device as common destination port numbers for session log redirection. During the log generation, if the source port number is the same as the configured application number, the system switches the source and destination information in the session log.

Examples

# Specify the application port number as 53 for session log redirection

<Sysname> system

[Sysname] session log redirection-by-port 53

session log flow-begin

Use session log flow-begin to enable logging for session creation.

Use undo session log flow-begin to disable logging for session creation.

Syntax

session log flow-begin

undo session log flow-begin

Default

Logging for session creation is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

For the device to output a session log when a session entry is created, make sure both session logging and logging for session creation are enabled.

Examples

# Enable logging for session creation.

<Sysname> system-view

[Sysname] session log flow-begin

Related commands

session log enable

session log flow-end

Use session log flow-end to enable logging for session deletion.

Use undo session log flow-end to disable logging for session deletion.

Syntax

session log flow-end

undo session log flow-end

Default

Logging for session deletion is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

For the device to output a session log when a session entry is deleted, make sure both session logging and logging for session deletion are enabled.

Examples

# Enable logging for session deletion.

<Sysname> system-view

[Sysname] session log flow-end

Related commands

session log enable

session log time-active

Use session log time-active to set the time-based session logging.

Use undo session log time-active to restore the default.

Syntax

session log time-active time-value

undo session log time-active

Default

The device does not output session logs.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

time-value: Specifies the interval in minutes. The value range for the time-value argument is 10 to 120 and the value must be integer times of 10.

Usage guidelines

If you set both time-based and traffic-based logging, the device outputs a session log when whichever is reached. After outputting a session log, the device resets the traffic counter and restarts the interval for the session.

Examples

# Configure the device to output session logs every 50 minutes.

<Sysname> system

[Sysname] session log time-active 50

Related commands

session log enable

session log { bytes-active | packets-active }

session log with-endtime

Use session log with-endtime to configure the session end time field for session creation logs and active session logs.

Use undo session log with-endtime to restore the default.

Syntax

session log with-endtime

undo session log with-endtime

Default

The session end time field is empty for session creation logs and active session logs.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Non-default vSystems do not support this command.

This feature fills in the session end time field with the session creation time for sessions not aged out.

Examples

# Configure the session end time field for session creation logs and active session logs.

<Sysname> system-view

[Sysname] session log with-endtime

session persistent acl

Use session persistent acl to specify persistent sessions.

Use undo session persistent acl to restore the default.

Syntax

session persistent acl [ ipv6 ] acl-number [ aging-time time-value ]

undo session persistent acl [ ipv6 ] acl-number

Default

No persistent sessions exist.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

ipv6: Specifies an IPv6 ACL. To specify an IPv4 ACL, do not specify this keyword.

acl-number: Specifies an ACL by its number in the range of 2000 to 3999.

aging-time time-value: Specifies the aging time for persistent sessions in hours. The value range for the time-value argument is 0 to 360, and the default value is 24. To disable the aging for persistent sessions, set the value to 0.

Usage guidelines

This command is effective only on TCP sessions in ESTABLISHED state.

For a TCP session in ESTABLISHED state, the priority of the aging time is as follows:

· Aging time for persistent sessions.

· Aging time for sessions of application layer protocols.

· Aging time for sessions in different protocol states.

A persistent session is not removed until one of the following events occurs:

· The session entry ages out.

· The device receives a connection close request from the initiator or responder.

· You manually clear the session entries.

The configuration of persistent sessions applies only to new sessions. It has no effect on existing sessions.

Repeat this command to use multiple ACLs to specify persistent sessions.

Examples

# Specify IPv4 ACL 2000 for identifying persistent sessions and set the aging time to 72 hours.

<Sysname> system-view

[Sysname] session persistent acl 2000 aging-time 72

# Specify IPv6 ACL 3000 for identifying persistent sessions and set the aging time to 100 hours.

<Sysname> system-view

[Sysname] session persistent acl ipv6 3000 aging-time 100

Related commands

session aging-time application

session aging-time state

session state-machine mode

Use session state-machine mode to set the mode of session state machine.

Use undo session state-machine mode to restore the default.

Syntax

session state-machine mode { compact | loose }

undo session state-machine mode

Default

The session state machine is in strict mode.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

compact: Specifies compact mode.

loose: Specifies loose mode.

Usage guidelines

When asymmetric-path traffic exists in a hot backup system operating in session active/standby mode, set the mode of session state machine to loose to avoid abnormal traffic loss.

When asymmetric-path traffic exists in a hot backup system operating in session dual-active mode, set the mode of session state machine to compact for disconnected sessions to age out timely.

As a best practice, change the mode of session state machine only when asymmetric-path traffic exists. This feature degrades performance of session-based security check. Make sure you are fully aware of the impact of this command when you use it on a live network.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the mode of session state machine to loose.

<Sysname> system-view

[Sysname] session state-machine mode loose

session statistics enable

Use session statistics enable to enable session statistics collection for software fast forwarding.

Use undo session statistics enable to disable session statistics collection for software fast forwarding.

Syntax

session statistics enable

undo session statistics enable

Default

Session statistics collection is disabled for software fast forwarding.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

This command enables the device to collect the session-based outbound and inbound packets and bytes for software fast forwarding.

To display statistics per session, use the display session table command. To display statistics per packet type, use the display session statistics command.

This command does not take effect on packets processed by hardware fast forwarding. To collect statistics of packets processed by hardware fast forwarding, use the session statistics hardware-fast-forwarding command to enable statistics collection for hardware fast forwarding. For information about fast forwarding, see Layer 3—IP Services Configuration Guide.

This command is CPU and memory intensive. Before using this command, make sure you fully understand its impact on system performance.

Examples

# Enable session statistics collection for software fast forwarding.

<Sysname> system-view

[Sysname] session statistics enable

Related commands

display session statistics

display session table

session statistics hardware-fast-forwarding

Use session statistics hardware-fast-forwarding to enable session statistics collection and set the logging threshold for hardware fast forwarding.

Use undo session statistics hardware-fast-forwarding to disable session statistics collection for hardware fast forwarding.

Syntax

session statistics hardware-fast-forwarding { bytes-active bytes-value | packets-active packets-value }

undo session statistics hardware-fast-forwarding { bytes-active | packets-active }

Default

Session statistics collection is disabled for hardware fast forwarding.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

bytes-active bytes-value: Specifies the byte-based threshold in the range of 1 to 100000 MB.

packets-active packets-value: Specifies the packet-based threshold in the range of 1 to 100000 mega-packets.

Usage guidelines

This command enables the device to collect the packets processed by hardware fast forwarding for the session and other service modules. The session and other service modules will use the collected statistics for more accurate statistics collection.

When you configure the following commands together, make sure you have specified the same type of logging threshold:

· session statistics hardware-fast-forwarding { bytes-active | packets-active }.

· session log { bytes-active | packets-active }.

When you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable session statistics collection and set the logging threshold to 10 MB for hardware fast forwarding.

<Sysname> system-view

[Sysname] session statistics hardware-fast-forwarding bytes-active 10

session synchronization { dns | http } *

Use session synchronization { dns | http } * to enable session synchronization for DNS, HTTP, or both.

Use undo session synchronization { dns | http } * to disable session synchronization for DNS, HTTP, or both.

Syntax

session synchronization { dns | http } *

undo session synchronization { dns | http } *

Default

Session synchronization is disabled for DNS and HTTP.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

dns: Specifies the DNS protocol.

http: Specifies the HTTP protocol.

Usage guidelines

Non-default vSystems do not support this command.

DNS or HTTP connections usually do not last long. When a DNS or HTTP connection is terminated because of an active/standby switchover, the client will immediately reinitiate a connection request. The connection exception is barely noticed.

DNS and HTTP sessions do not require session synchronization except for the following conditions:

· Users are aware that the current HTTP or DNS sessions will last for a long time.

· HTTP or DNS session backup is required.

For this command to take effect, you must also configure the session synchronization enable command.

This command takes effect only on sessions of the application protocols HTTP and DNS. Sessions of other application protocols will be backed up if the session synchronization enable command is configured.

Examples

# Enable session synchronization for stateful failover, and enable session synchronization for HTTP.

<Sysname> system-view

[Sysname] session synchronization enable

[Sysname] session synchronization http

Related commands

session synchronization enable

Use session synchronization enable to enable session synchronization for stateful failover.

Use undo session synchronization enable to disable session synchronization for stateful failover.

Syntax

session synchronization enable [ asymmetric ]

undo session synchronization enable

Default

Session synchronization for stateful failover is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

asymmetric: Specifies asymmetric traffic. If you do not specify this keyword, this command supports only symmetric traffic.

Usage guidelines

Non-default vSystems do not support this command.

This features enables the master and backup devices to synchronize sessions and dynamic entries of session-based services.

In a network that has asymmetric traffic, heavy service traffic might cause service delay or service unavailable because sessions cannot be backed up timely. For example, one device forwards the TCP SYN packets, and another device forwards its ACK packets. If the session tables of the two devices are not synchronized, the TCP packets will be dropped because of state error. To resolve this issue, use the session synchronization enable asymmetric command.

This command cannot be used together with the hot-backup enable command. For information about the hot-backup enable command, see High Availability Command Reference.

Examples

# Enable session synchronization for stateful failover.

<Sysname> system-view

<Sysname> session synchronization enable

# Enable session synchronization for both symmetric and asymmetric traffic.

<Sysname> system-view

<Sysname> session synchronization enable asymmetric

Related commands

hot-backup enable (High Availability Command Reference)

session top-statistics enable

Use session top-statistics enable to enable the top session statistics feature.

Use undo session top-statistics enable to disable the top session statistics feature.

Syntax

session top-statistics enable

undo session top-statistics enable

Default

The top session statistics feature is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Usage guidelines

This command collects the number of sessions for session-based services and ranks the sessions by source address and by destination address.

To display the top session statistics, use the display session top-statistics command.

Examples

# Enable the top session statistics feature.

<Sysname> system-view

[Sysname] session top-statistics enable

Related commands

display session top-statistics

03-Security Command Reference

display session fast-drop statistics

display session fast-drop table ipv4

display session statistics ipv4

display session statistics multicast

reset session table multicast

session alarm rate-abrupt enable

session alarm try-rate-abrupt enable

session fast-drop aging-time

session fast-drop top-statistics enable

session log flow-begin

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us