Sessions on Juniper SSG520 Firewall Max Out

 Problem Description : 

If accessing to/from off-campus becomes slow or times out, the number of sessions in use on the Juniper SSG520 Firewall may be maxed. Most common cause is a virus infected PC on campus attempting to hit multiple off-campus IPs.

 Resolution : 

To determine if sessions are maxed out:

1 - Log onto the Web management console of the SSG520 (168.26.252.2 with admin and standard network password)

2 - In upper right corner under Resources Status, the Sessions: bar will be full and red. An almost full yellow state is a potential for an issue. Status should typically be green and less than 30%.

To look for potential problem PC:

1 - Log onto the Web management console of the SSG520 (168.26.252.2 with admin and standard network password)

2 - On left menu expand reports and click on policy At top, set the List size from 20 (default) to 100. Scan down Log Count looking for any extremely high (>1000) entries. Especially look at the 4 entries where service has "Conficker" in it.

3 - Click on the blue green grid/magnifier glass to see policy sessions. Look for any IP that is extremely high number of sessions.

To clear the sessions (once done, Policy Report cannot be looked at for potential PC issues)

1 - Log onto the CLI management of the SSG520 with admin and standard network password

-- Open PUTTY

-- Use Telnet connection to 168.26.252.2

-- On Terminal options, set Local echo: to Force on (or what you type in telnet screen will not display until you hit Enter)

2 - Enter command "clear session all" and press Enter. Example output below:

----

SSG520-> clear session all

clear session all

Total cleared software sessions :5643

----

 Revision Date : 6/13/2011