About My SSG5 Connection "Close-Tcp RST" when Sessions over 2000

  • Dear All,

    I’ve the problem about my SSG5 VPN router. I have no idea about this router will stop all of the connection from trust to untrust when the sessions over 2000 😢, but I can use the VIP service at the same time. :? I need to restart the router when the problems occur. :x But after few hours, the problem will occur again!!!  :? 😢 Anyone can help/teach me to fix this problem. Thank you so much! 🙂

  • Thank you Sir! The problem fixed. :mrgreen:

  • I’ve seen Skype (or torrents) taking down SSG5 devices because of too many sessions. (BTW, that didn’t happen with Zyxel Zywall 5.) I’ve just set the limit for the number of sessions from and to the same IP address in Trust and Untrust zone. That has helped me ever since.
    In particular, go to Security > Screening > Screen and set the limits of sessions, both “Source IP Based Session Limit” and “Destination IP Based Session Limit”, set them to 500 or so, or even less.

    Another note - if you know which IP address is causing the huge amount of sessions, then you don’t have to restart the router, use the command “clear session” with the appropriate src-ip or dst-ip. Or “clear session all”. Or, alternatively, go to GUI and uncheck the outgoing traffic policy for some seconds. That will drop all of 'em.

    If you’ve defined custom services, then don’t let the timeout be “never” - that may also fill up the session table.

    You could also define your own UDP service with all ports 1024-65535, but with short timeout, so the sessions don’t pile.

  • I would block Skype. It is evil 🙂 Nah, I really don’t know. Skype wants too many open ports… its a common problem.

  • At this moment, I have remove the old service and poilcy to make our network smooth, and I just add the new poilcy blocking port 80 on top of the existing permit “any” service. but i wish to know how can I just permit the skype service. looking for your help.

  • Hard to tell. You can set shorter timeouts. Check “get sess” on the CLI to see the sessions increase. Maybe Skype made you a supernode hehe

  • @don_stupido:

    Any custom services defined?

    yes, i’ve. I defined a service about skype. the seting is tcp src port: 1-65535, dst port: 1024~65535. is that something wrong?? i need to control some staff can’t use the WEB service excluded skype and mail. after the setting finish, the problems occur. please help me!

  • Any custom services defined?