Scenario
When I logged in to the device, I found that the number of active sessions was almost at the limit,
But when I go to the monitor page, only three client on the ZW110,
How to check where do these session come from?
Step
1.SSH/console access to device.
2. Use this CLI to dump the conntrack on the ZW
Router> debug system show conntrack
3.Check the IP address to find out who keep create conntrack through ZW.
4.When you found which specific IP address keeps flooding the network, power off the PC and then monitor the ZW again.
We saw this kind of contrack kept showing in the ZyWALL
tcp 6 115 SYN_SENT src=10.10.10.23 dst=AA.AA.AA.AA sport=22372 dport=80 packets=1 bytes=985 [UNREPLIED] src=XX.XX.XX.XX dst=OO.OO.OO.OO sport=80 dport=22372 packets=0 bytes=0 mark=0 use=2
So we power off that PC (10.10.10.23) then the session on the ZW decrease from 79878 to 217 directly.
No comments:
Post a Comment