Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2875
Views
5
Helpful
5
Replies

devices global-settings session-limits connect-rate burst

tsiemers1
Spotlight

‎04-14-2022 11:50 AM - edited ‎04-14-2022 12:35 PM

Can anybody explain what the number is doing when this is set? We are hitting a problem where sending multiple live-status commands to NSO from our OSS causes the following error on the device

 

%SECURITY-SSHD-6-INFO_GENERAL : Incoming SSH session rate limit exceeded

 

To fix this on the device side I set the ssh rate limit from the default of 60 to 300 packets per minute, which fixed the issue.

I decided to look if NSO had a fix on its end so I don't have to touch all devices and let NSO handle the rate limit. I found the above command but can't find what setting it will actually do. Let's say I have the router set for 60 packets per min or one per second could I set the above command to 60 as well to limit the number of ssh requests packets at the device?

2 people had this problem
Labels:
0 Helpful
5 Replies 5

Nabsch
Spotlight

‎04-14-2022 01:24 PM - edited ‎04-14-2022 01:27 PM

Here the description that i found in Yang file.

 

       description
                "The number of concurrent connect attempts allowed.
                 For example, the devices managed by NSO talk to the same
                 server for authentication which can only handle a limited
                 number of connections at a time. Then we can limit
                 the concurrency of connect attempts with this setting.";

By default , the default value is unlimited.

 

 

admin@ncs# show running-config devices global-settings session-limits connect-rate burst
devices global-settings session-limits connect-rate burst unlimited

 

 

The limit is for preventing errors from AAA server. I had faced some issue related to that in the past. In our lab , our TACACS server can handle up to 360 connections. So once the limit is reached , you aren't able to connect the devices and if you are already  connected you cannot execute any command since the server cannot handle any new connections. In this case , you have two options:

  • Increase the TACACS  connection limit
  • Limit in NSO the simultaneous connections using this setting

0 Helpful

tsiemers1
Spotlight
In response to Nabsch

‎04-14-2022 01:36 PM

Thanks. Looks like we are facing another issue where auth is fine but SSH on the device is rate-limiting the amount of packets per min. 

 Others  
------------
                     DSCP  := 16
                Ratelimit  := 300
             Sessionlimit  := 20
                Rekeytime  := 60
       Server rekeyvolume  := 1024
  TCP window scale factor  := 1
            Backup Server  := Disabled

I set it to 300 on a device and it worked for now. Still looking for a way to send all show commands to NSO for live-status in one shot instead of SSH connection per show command on XR.

0 Helpful

Nabsch
Spotlight

‎04-14-2022 01:53 PM - edited ‎04-14-2022 01:59 PM

NSO will try to use the same connection if there any available connection . Here a link to session pool documentation that might help you.

 

You can check the session-pool 

 

 

admin@ncs# show devices session-pool
                  DEVICE            MAX        IDLE
DEVICE            TYPE    SESSIONS  SESSIONS   TIME
-----------------------------------------------------
TEST-IOS-XR-3.51  cli     1         unlimited  30

In this example , NSO will try to maintain the connection during 30 seconds .

  • If we send any command before the expiration of the idle-time , it will use the same connection .
  • If we don't send any command during the idle-time then NSO will close the connection.

 

I hope it answer your question

 

tsiemers1
Spotlight
In response to Nabsch

‎04-14-2022 02:10 PM

I'll have to open a tac case. The router shows that NSO is trying to log in once per the show command. For reference, we are running an API that calls the live-status API for 3 show commands. Monitoring the router we are seeing an ssh login from NSO per show command. Going to start with our OSS vendor first to see how they are sending the API calls then get a case with NSO if that doesn't help. Thanks for the guide.

0 Helpful

Nabsch
Spotlight
In response to tsiemers1

‎04-14-2022 02:16 PM - edited ‎04-14-2022 02:22 PM

You need to check the API logs or the device logs if trace are enable to find the interval between the live-status call . 

 

You can try to increase the idle-time to see if it's going to solve your issue.

 

admin@ncs# show running-config devices global-settings session-pool | details
devices global-settings session-pool idle-time 30
devices global-settings session-pool pool-max-sessions 200
admin@ncs#
0 Helpful

Top