WAAS out of session - Symantec End Point

Rafael Romero · ‎09-20-2012

Hi,

We have a router 3845 with a WAE-522-K9. Eventually we have received notifications about "session limit" and we got this:

Current Active Optimized Flows: 790

Current Active Optimized TCP Plus Flows: 790

Current Active Optimized TCP Only Flows: 0

Current Active Optimized TCP Preposition Flows: 0

Current Active Auto-Discovery Flows: 0

Current Reserved Flows: 10

Current Active Pass-Through Flows: 155

Historical Flows: 387

D:DRE,L:LZ,T:TCP Optimization RR:Total Reduction Ratio

A:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO

ConnID Source IP:Port Dest IP:Port PeerID Accel RR

........................................................

I was reading some trouble shooting documents but i cannot get a solution. It could be a "Denial of Service" or a misconfiguration of SEP.

Both Servers are Symantec End Point Servers.

Thanks for your support

131107 12.17.2.5:4423 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 14.1%

131173 12.17.2.5:4465 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 02.4%

131175 12.17.2.5:4489 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 48.6%

131200 12.17.2.5:4514 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 31.9%

131211 12.17.2.5:4515 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 10.1%

131259 12.17.2.5:4561 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 30.1%

131295 12.17.2.5:4591 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 31.3%

131332 12.17.2.5:4619 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 14.1%

131345 12.17.2.5:4629 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 14.1%

131402 12.17.2.5:4665 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 00.0%

131424 12.17.2.5:4706 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 06.4%

131439 12.17.2.5:4725 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 16.2%

131444 12.17.2.5:4744 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 23.3%

131473 12.17.2.5:4796 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 31.9%

131482 12.17.2.5:4813 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 21.9%

131498 12.17.2.5:4824 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 31.8%

131500 12.17.2.5:4839 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 07.4%

Natalie Ramirez · ‎09-20-2012

What version of WAAS OS are you on and how long has it been since you reset your Policy Rules to the default? Also, from enable, do a "clear connection" to purge all those out of there and get things accelerating again. The WAAS policy rules stay the same through each upgrade, so if your original policy rules date back to version 4.1.1, there have been a lot of enhancements since then.

I had a similar problem with Sophos corporate virus protection. Each of my clients would open 20+ sessions to the Sophos update server and max out my connections.

I was on WAAS OS Version 4.4.3c when it was happening. My first solution, was to create a Policy for Pass through only on the Sophos TCP port destination. I kept this policy in place until I upgraded to WAAS OS verion 5.0.1 about a month ago. After the update, I removed the rule and reset all rules to the default, which the default rule set from 5.0 is different than the default ruleset on 4.3.x which I had kept through every upgrade. I reset the ruleset for a different issue, but after I did the reset, the Sophos Clients only took 2 TCP sessions each. One from Client to Server, one from Server to Client.

Natalie Ramirez · ‎09-20-2012

Oops, just realized you are on a 522. Those can not be upgraded to 5.0.1. You can upgrade them to 4.5, if you have maintenance on it and you jump through a bunch of hoops with TAC, filling out surveys, and tons of details about your network.