Network 华为路由器Session耗尽解决办法 发表于 2022-01-20 浏览量 1108 没有评论 # 私网流量大导致设备的Session资源耗尽 背景信息 当网络中存在一些攻击行为或者业务较多时,路由器会收到大量流量,路由器的Session和Block内存资源很快会被耗尽,超过阈值。其他正常用户可能会因为分配不到Session和Block资源而出现上网慢情况。此时,可以参考本节内容,检查下设备的Session和Block资源是否正常。如果发现资源被耗尽,则通过traffic-policy或者traffic-filter命令禁止端口上的异常流量通过,同时找出攻击源进行杀毒。如果正常流量本身就很多,超过了设备的性能,则需要更换更高性能的设备。 定位步骤: 1.执行命令`display logbuffer`,查看Log缓冲区记录的信息中是否有大量Session和Block内存资源过载的日志。 ``` display logbuffer Logging buffer configuration and contents: enabled Allowed max buffer size: 1024 Actual buffer size: 512 Channel number: 4, Channel name: logbuffer Dropped messages: 0 Overwritten messages: 167 Current messages: 512 Mar 5 2021 15:47:25+08:00 Huawei %%01FORWARD/4/SESSION-RES-LACK(l)[135]:The device session resources were overloaded.(Usage = 94%) Mar 5 2021 16:29:25+08:00 Huawei %%01FORWARD/4/CAP-BLOCK-RES-LACK(l)[259]:The block memory resources were overloaded.(Usage = 97%) Mar 5 2021 16:34:25+08:00 Huawei %%01FORWARD/4/SESSION-RES-LACK(l)[261]:The device session resources were overloaded.(Usage = 92%) Mar 5 2021 16:43:25+08:00 Huawei %%01FORWARD/4/CAP-BLOCK-RES-LACK(l)[273]:The block memory resources were overloaded.(Usage = 96%) ``` 2.进入诊断视图,执行命令`display session statistics top 10 order-by source-ip`根据源IP地址统计Top 10用户的Session信息 ``` system-view [Huawei] diagnose [Huawei-diagnose] display session statistics top 10 order-by source-ip Session statistic top 10 (Condition: Source IP, Service: SESSION, Items: 10, Total Sessions: 25768) ------------------------------------------------------------------------------------------------- TOP-N IP/Port Counts Percentage(%) ------------------------------------------------------------------------------------------------- 1 192.168.1.99 19714 76.505744 2 192.168.1.88 5988 23.238125 3 192.168.1.165 9 0.034927 ``` 3.如果设备的Session数已达到设备的规格,且发现Top 10会话里有大量私网终端建立的会话(源IP地址为私网终端的IP地址,例如步骤1中的192.168.1.99和192.168.1.88),说明私网中可能存在攻击行为。此时,执行命令`display session statistics top 10 order-by destination-port` 进一步查看私网终端建立的会话的端口信息。本例中,私网用户建立了大量目的端口为445和1433的会话,建议在私网接口上配置ACL规则拒绝目的端口为445和1433的流量通过。 ``` [Huawei-diagnose] display session statistics top 10 order-by destination-port Session statistic top 10 (Condition: Destination Port, Service: SESSION, Items: 10, Total Sessions: 25768) ------------------------------------------------------------------------------------------------- TOP-N IP/Port Counts Percentage(%) ------------------------------------------------------------------------------------------------- 1 445 15486 60.097796 2 1433 9565 37.119683 3 3389 648 2.514747 [Huawei-diagnose] quit [Huawei] interface GigabitEthernet 0/0/0 [Huawei-GigabitEthernet0/0/0] display this # ip address 192.168.1.255 255.255.255.0 # [Huawei-GigabitEthernet0/0/0] quit ``` - 在流策略里绑定ACL并将流策略应用到私网接口GE0/0/0,不允许目的端口为445和1433的流量通过私网接口,从而解决故障。 ``` [Huawei] acl 3000 [Huawei-acl-adv-3000] rule 20 permit tcp destination-port eq 445 [Huawei-acl-adv-3000] rule 25 permit tcp destination-port eq 1433 [Huawei-acl-adv-3000] quit [Huawei] traffic classifier virus operator or [Huawei-classifier-virus] if-match acl 3000 [Huawei-classifier-virus] quit [Huawei] traffic behavior virus [Huawei-behavior-virus] deny [Huawei-behavior-virus] quit [Huawei] traffic policy virus [Huawei-trafficpolicy-virus] classifier virus behavior virus [Huawei-trafficpolicy-virus] quit [Huawei] interface GigabitEthernet 0/0/0 [Huawei-GigabitEthernet0/0/0] traffic-policy virus outbound [Huawei-GigabitEthernet0/0/0] traffic-policy virus inbound [Huawei-GigabitEthernet0/0/0] quit ``` - 如果检查之后,没有发现私网有攻击行为,则说明私网的业务较多,流量大属于正常现象,当前的设备性能已无法满足私网的业务,需要更换性能更高的设备。