Diagnose the reasons for the large number of active sessions in the ZyWALL

In the ZyWALL web configurator, the following situation can sometimes be observed (the number of active sessions is almost at its maximum, with only a few computers connected to the device):

Go to the Monitor > System Status > Session Monitor menu and see which computers are connected (in our example, only 3 clients are connected to the ZyWALL 110).
Now you need to figure out which computer opens so many sessions:
1. Connect to the device using the SSH protocol or the console port of the console.
2. In the command-line interface (CLI), run the following command:
Router> debug system show conntrack
3. Find the IP address from which a large number of sessions are created via the ZyWALL.
In our example, we observed a large number of the following records of the form:
tcp 6 115 SYN_SENT src = dst = AA.AA.AA.AA sport = 22372 dport = 80 packets = 1 bytes = 985 [UNREPLIED] src = XX.XX.XX.XX dst = OO.OO.OO. OO sport = 80 dport = 22372 packets = 0 bytes = 0 mark = 0 use = 2
4. When you determine the source's specific IP address (in our example, it is src = from which the network flood is going, disconnect the computer with this IP address from the Ethernet network and then monitor the situation again.
In our example, after the computer with the IP address was disconnected from the network, the number of active sessions immediately decreased from 79878 to 217.
Thus, the source of the problems was discovered, and further, it will be necessary to identify the cause of such a large number of connections from the computer.
As an example, we give several reasons for the emergence of many network sessions on a computer.
But one of the reasons may be running downloads of torrents. In this case, many active network connections are created on the computer (requests from the internal network to the external network and vice versa). The number of such sessions can amount to hundreds and even thousands. Another reason may be viruses (trojans) or other types of network attacks that actively use many sessions.

Articles in this section

Was this article helpful?
2 out of 2 found this helpful



Please sign in to leave a comment.