XG 550 performance slow, high "Sessions" amount

Question

We have an XG 550 rev. 2 configured with 2 different internet connections and a 10 gig fiber card for the LAN port. We have been experiencing DDOS attacks which we have an external service mitigating. What we have found is that at certain times during the attacks or even after they have subsided we experience the XG getting extremely high session counts (1.5 million, 1.8 million, even 2.1 million at one point). This causes our internet connectivity to grind to a halt for some amount of time. The slowness is unusable in most cases. 
 
 Sometimes we disconnect the ISP line that doesn't have DDOS mitigation on it to see if we can fix the issue. It almost feels like when we do that, the session count and memory usage climbs through the roof. In one case we had the second line disconnected, the attack was mitigated on the first line, but the session count and memory stayed high. We rebooted the firewall, down for 10 minutes then the sessions went right back up! We plugged the second line back in and immediately the session count came down. So confused. Can anyone shed any light on this?

LuCar Toni · Answer

Sessions are basically conntrack table entries. Seems like some system is overload your system with sessions. You should get some expertise inhouse to find the Rootcause of this attacked. 
 It could be a attack or a network issue with loops. 
 
 Maybe try the following: 
 Conntrack is resonsible for the sessions in XG firewall. 
 You can check which kind of connections is filling up this but you need Linux CLI knowledge to do so: 
 conntrack -L will list all current session (Basically 1.8M entries). 
 You can Pipe them up and start grap. conntrack -L | grep NEW | wc -l Will list basically all new Sessions current seens and count them. 
 https://www.linuxtopia.org/Linux_Firewall_iptables/x1347.html

XG 550 performance slow, high "Sessions" amount

Top Replies