R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

171

172

173

174

175

176

177

178

179

180

171

Configuring session aging times based on application layer

protocol type

NOTE:

times set in this task applies to only the sessions in the READY/ESTABLISH state.

For sessions in the READY (with UDP) or ESTABLISH (with TCP) state, you can set the session aging times

according to the types of the application layer protocols to which the sessions belong.

Follow these steps to set session aging times based on application layer protocol type:

To do... Use the command...

Remarks

Enter system view system-view —

Set the aging time for sessions of

an application layer protocol

application aging-time { dns | ftp |

msn | qq } time-value

Required

NOTE:

If a large amount of sessions (more than 800000) exist, too short aging times are not recommended.

Otherwise, the console may be slow in response.

Enabling checksum verification

To ensure that session tracking is not affected by packets with checksum errors, you can enable checksum

verification for protocol packets. With checksum verification enabled, the session management feature

processes only packets with correct checksums, and packets with incorrect checksums will be processed

by other services based on the session management.

Follow these steps to enable checksum verification for protocol packets:

To do... Use the command...

Remarks

Enter system view system-view —

Enable checksum verification

session checksum { all | { icmp |

tcp | udp } * }

Required

Disabled by default

NOTE:

Checksum verification may degrade the card performance. Enable it with caution.

Specifying the persistent session ACL

You can set some sessions that have specific characteristics as persistent sessions. The aging time of a

persistent session does not vary with the session state transitions, neither will a persistent session be

removed because no packets match it. A persistent session can be specified with an aging time that is

longer than those of common sessions (up to 360 hours), or be configured to be a permanent connection,

which will be cleared only when the session initiator or responder sends a request to close it or you clear

it manually.

You can set the persistent session criteria by specifying a basic or advanced access control list (ACL). All

sessions permitted by the ACL are persistent sessions.