Results 1 to 3 of 3

Thread: Session Limit

  1. #1
    Untanglit
    Join Date
    Nov 2009
    Posts
    29

    Default Session Limit

    So, I have a bit of a bump this morning, I hit the 10,000 session limit hard. Called up UT Support and found that even though Untangle scans sessions and can provided a small list of sessions it is unable to report back where those mystery 8,000 sessions came from (I normally run ~2,000 sessions). It's like an army at the gates, but you don't know if it's the French, English, Spanish, etc.

    I could view the active sessions via session monitor but that tool is pretty useless when dealing with this number of sessions.

    Untangle really needs a way to count the number of sessions per client or per server. Since it can provide the session count how much work would it take to provide a session count per source or destination IP?

    I dumped ucli sessions to a log file then rebooted the box, which fixed the issue. Call this a request for a better session event log.

  2. #2
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,877

    Default

    Check attack blocker. Your sessions very likely originate from a small number of users, maybe even a single user, that found a way to slip some bittorrent traffic through the uvm. That will show up in attack blocker as a very high-scoring IP. Failing Attack Blocker, use Application Control Lite to scan for (not block) anything in the p2p category, and look for the user/IP with the most detections.

    When you find the person, I've found that a captive portal rule on their IP that forces them to login frequently (about every 90 minutes) is often very effective at correcting the behavior. It makes a user aware he's being watched, and means he can't cause much damage unless he is physically present at the machine. After a while the bad traffic will go away and you can remove the capture rule, or he'll complain and you can deal with him more directly, in which case the traffic will still go away and you can still remove the capture rule.
    Last edited by jcoehoorn; 03-06-2012 at 09:50 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  3. #3
    Untanglit
    Join Date
    Nov 2009
    Posts
    29

    Default

    Attack blocker didn't pick up anything, I am scanning for everything in p2p. Currently I use QoS and bandwidth control to give them a 52k dialup experience if they fire up a p2p app. Seems to work pretty well, normally.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2