< Home

Configuring Session Aging Using the CLI

You can reset the aging time of the session on the FW to meet the requirement of the network.

Context

You can set the session aging time for each service as required.

Generally, the default aging time of the session table is adopted. To change the aging time, you should first estimate and identify the traffic type and connection number of the actual network. For special services that require long time connections, you are advised to implement the persistent connection function instead of running the following command to lengthen the aging time of the traffic of a certain protocol.

In certain scenarios, when the number of concurrent sessions on the FW increases rapidly, new sessions may fail to be created for normal services. In this case, you can enable the fast session aging function to accelerate the aging process. In this way, sessions can be aged in advance, rapidly reducing the session table usage.

Procedure

  1. Access the system view.

    system-view

  2. Set the aging time of the session table.

    firewall session aging-time { service-set session-type aging-time | default }

  3. Optional: Configure the fast aging of DNS sessions.
    1. Enable the fast aging of DNS sessions.

      firewall dns fast-aging enable

    2. Set the fast aging time of DNS sessions.

      firewall dns fast-aging time aging-time

      aging-time is specified as the aging time of DNS sessions. That is, a DNS session ages out aging-time seconds after the device receives a reply packet from the DNS server.

      By default, the fast aging time of DNS sessions is 3 seconds. The value 0 indicates the DNS session is aged immediately.

    3. Check the configuration of the fast aging of DNS sessions.

      display firewall dns fast-aging

  4. Optional: Configure fast session aging.

    The fast session aging function does not take effect for persistent-connection sessions, and sessions with TCP/SCTP connections being established or disconnected.

    Fast DNS session aging is implemented by specifying the aging time of DNS sessions. Fast session aging does not change the aging time of sessions. Instead, it sets a rate for the aging time, so that sessions are aged before the aging time expires. When both fast DNS session aging and fast session aging are enabled, the FW ages sessions based on both the specified DNS session aging time and the aging time rate.

    1. Enable the fast session aging function.

      firewall session fast-aging enable

      By default, the function is enabled.

    2. Configure the session table usage and memory usage thresholds that trigger the fast session aging function to take effect or become invalid.

      Run the firewall session fast-aging { lower-threshold | upper-threshold } threshold command to configure the session table usage threshold that triggers the fast session aging function to take effect or become invalid. Run the firewall session fast-aging memory-usage { lower-threshold | upper-threshold } threshold command to configure the memory usage threshold that triggers the fast session aging function to take effect or become invalid.

      By default, the fast aging of IPv4 or IPv6 sessions takes effect when the IPv4 or IPv6 session table usage reaches 80%. And this function becomes invalid when the IPv4 or IPv6 session table usage becomes no higher than 60%.

      By default, the fast aging of IPv4 or IPv6 sessions takes effect when the memory usage reaches 90%. And this function becomes invalid when the memory usage becomes no higher than 75%.

      When either the session table usage or memory usage reaches the upper threshold, the fast session aging function takes effect. However, this function becomes invalid only when both the session table usage and memory usage fall below the lower threshold.

    3. Set the percentage of session entries that age before the aging time elapses.

      firewall session fast-aging early-ageout percent

      The default percentage is 20%.

      For example, if you set Aging acceleration coefficient to 20%, a session will be aged in 5 minutes in normal cases and be aged 1 minute (5*20%) in advance if the fast session aging function takes effect. If the session is not matched within 4 minutes, the session is deleted.

Follow-up Procedure

To view the aging time of the session table, run the display firewall session aging-time [ type { pre-defined | user-defined } ] command.

Parent Topic: Configuring Session Aging
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic