Troubleshooting High Session Use in Netscreen Firewalls ************************************************ This purpose of this document basically gives us a brief overview of the way of troubleshooting high session use in the Netscreen Firewalls . In other words , we can also say it shows us the way how we can proceed in analyzing the sessions in the Netscreen and finding the system (user) which creates a more number of sessions (toptalkers) and also the port where the user system is connected to the access switch with few commands .
What is a Session ?
In networking, a Session is a semi-permanent interactive information exchange, also known as a dialogue between two or more communicating devices, or between a computer and user. A session is set up or established at a certain point in time, and torn down at a later point in time. An established communication session may involve more than one message in each direction. In a session typically, but not always, at least one of the communicating parts need to save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses. Communication sessions may be implemented as part of protocols and services at the application layer, at the session layer or at the transport layer in the OSI model. •
Application layer examples: o HTTP sessions, which may allow dynamic web pages, i.e. interactive web pages, as opposed to static web pages. o A telnet remote login session Session layer example: o A Session Initiation Protocol (SIP) based Internet phone call Transport layer example: o A TCP session, which is synonymous to a TCP virtual circuit, a TCP connection, or an established TCP socket.
Now that we understand the basic concept why sessions are significant , let us proceed towards the first step in getting the session data for later analysis .
1) Getting session data from Netscreen :
i) When we look at the alert with summary saying “high_session_use” (for example high_session_use: gurvpn1_gur), we find out the high session use alert is from which VPN device . To explain the scenario lets take an example of an alert say from gurvpn1. We may also have to consider emails from iGlassfirstname.lastname@example.org with subject line high_session_use , because sometimes we may not get an alert but still we have to consider it seriously and have to troubleshoot on it .
In the email , it would display something like the following : High sessions on gurvpn1_gur is 83.1% . We have to consider it serious if high sessions for any site is above 40 % . ii) So we login to the VPN device by using our usual tool for troubleshooting teraterm or putty . We ssh to the gurvpn1 with the monitor account (user priviledged) . Ssh monitor@gurvpn1 iii) Now after we login to the netscreen device we click on the option (in teraterm) file log option on the teraterm tool to save the data in a notepad .In putty however we don’t have this option till date so basically we have to copy the output of this window in a notepad later. Now on the netscreen user prompt , we can use the command get session to show us all the session data . gurvpn1(M)->get session Then we keep on pressing any key to show the full data on the tool . After it is done , we close the separate window opened for the log file. iv) Now we locate the file we saved and rename it with just a file extension “.nss”. For Example : GURVPN1_high session use_date.nss
2) Analysing the session data
We have 2 choices here to analyse the data : A) Without the software (using commandline to pick out toptalkers ) B) Using the software NSSA which eases our job .
A) Without the software (using commandline to pick out toptalkers ) In this case we login to the zombie of that particular site (in this case (zombie.gur)) For example : In this case we can login to the zombie.gur and execute the following command after the prompt : sudo...
Please join StudyMode to read the full document