Skip to main content
Versa Networks

Configure Service and Session Options

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.png For supported software information, click here.

Versa Operating SystemTM (VOSTM) devices are preconfigured with service options that define optimal operational and performance parameters for the device. In most cases, you should not modify these parameters without explicit guidance from a Versa Networks technical team member. However, you can choose to modify the following:

  • Maximum number of sessions allowed on a VOS device. This maximum is the total number of sessions for all tenants on the VOS device.
  • Session-related parameters, such as the timeout values for a session and for particular protocols, and the TCP MSS adjustment.
  • IPsec cipher key check, to comply with NIAP FCS_IPSEC_EXT.1.14 requirements (for Releases 22.1.1 and later).
  • Least loaded worker thread mode. You can configure this option to monitor the service load for each worker thread and distribute new sessions to minimize the maximum worker thread service load.

Note: For options not discussed in this article, do not modify them without explicit guidance from a Versa Networks technical team member.

Change the Maximum Number of Allowed Sessions

The default maximum number of sessions that a VOS device supports is automatically adjusted down or up based on the total amount of system memory.

The following table shows the maximum number of sessions supported for different amounts of memory. It is recommended that you do not increase the maximum number of sessions beyond the values shown in the table because the VOS software is tuned to handle the maximum values.

Total Memory (RAM) Maximum Number of Sessions
4 GB 32,000
8 GB 100,000
16 GB 500,000
32 GB 1,000,000
64 GB 2,500,000
96 GB 4,000,000
> 96 GB 5,000,000

For an amount of RAM not listed in the table above, the default maximum number of sessions is 5,000,000.

Note that you should change the maximum number of sessions only during a service maintenance window, because as soon as you make the change, all services on the VOS device restart automatically.

For Releases 21.1.3 and later, and Releases 21.2.1 and later, you can modify the default maximum of sessions. Before you change the values, it is recommended that you contact Versa Networks Customer Support.

It is recommended that you monitor the number of sessions and change the maximum number of sessions based on your peak production loads. For a VOS device to be operational, memory consumption should always be less than 90 percent. For VOS devices that have more than 32 GB RAM, you should also change the session limit at the tenant level. Otherwise, the maximum number of sessions is limited to 1 million per tenant, regardless of the maximum limit set on the device. Note that when you change the session limit at the tenant level, you do not need to restart services on the VOS device. To change the session limit for a tenant, see Configure Organization Limits.

Because the earlier default value for the session limit was 1,000,000 (for releases prior to Release 21.2.1), if you configure a value of 1,000,000, you cannot distinguish between an explicitly configured value and the earlier system default. It is recommended that you configure a value slightly more or less than 1,000,000 to override the older default value of 1,000,000.

To change the maximum number of allowed sessions on a VOS device:

  1. In Director view:
    1. Select the Configuration tab in the top menu bar.
    2. Select Devices > Devices in the left menu bar.
    3. Select an organization in the left menu bar.
    4. Select a device in the main pane. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Others > System > Configuration > Configuration in the left menu bar.

    configuration-configuration-v2-border.png
  4. In the Service Options section, click the edit_icon.png Edit icon.
  5. In the Edit Service Options window, select the General tab.
  6. In the Maximum Allowed Session field, enter the number of sessions.

    Note: You should change the maximum number of sessions only during a service maintenance window, because as soon as you click OK, all services on the VOS device restart automatically.

    edit-service-options-v3-border.png
     
  7. Click OK.

Configure IPsec Cipher Key Check

For Releases 22.1.1 and later.

You can configure a VOS device to meet NIAP FCS_IPSEC_EXT.1.14 requirements by enabling the IPsec cipher key check option. Enabling IPsec cipher key check affects the VOS device only when FIPS mode is enabled on the device. For information about enabling FIPS mode, see FIPS Compliance.

To view, enable, or disable IP cipher key check for a VOS device:

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a VOS device in the main pane. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Others > System > Configuration > Configuration in the left menu bar. The following screen displays.

    configuration-configuration-v2-border.png
     
  4. In the Service Options section, scroll down to view the setting for IPsec Cipher Key Check. A checked box icon indicates that the feature is enabled, and an unchecked box icon indicates that the feature is disabled.

    Config_Others_System_Config_Config_Service_Options_area-v2-border.png
     
  5. To enable or disable the IPsec cipher key check option, click theedit_icon.png Edit icon. The Edit Service Options window displays.

    Config_Others_System_Config_Config_Edit_IPsec_cipher-v2-full-border.png
     
  6. On the General tab, click the checkbox for IPsec Cipher Key Check to change the setting.
  7. Click OK.

Configure Least Loaded Worker Thread Mode

To configure least loaded worker thread mode for a VOS device:

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a VOS device in the main pane. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Others > System > Configuration > Configuration in the left menu bar. The following screen displays.

    service-options-home-v2-border.png
  4. In the Service Options section, scroll down to view the setting for Least Loaded Worker Thread. A checked box icon indicates that the feature is enabled, and an unchecked box icon indicates that the feature is disabled.

     service-options-edit-v2-border.png
  5. To enable or disable least loaded worker thread mode, click theedit_icon.png Edit icon. The Edit Service Options window displays.
  6. On the General tab, enter information for the following fields.

    service-options-edit1-v2-border.png
     
    Field Description
    Least Loaded Worker Thread Mode

    Specify the metric to use for worker thread workload, which determines how sessions are distributed. The least loaded worker thread mode preserves the legacy (flawed) redistribution of workload based on session count for backward compatibility.

    • Service load
    • Session count

    Default: Service load
    Use Least Loaded Worker Thread

    Click the checkbox to enable the distribution of sessions based on worker thread workload.

    For Release 22.1.3 and Release 22.1.4 builds dated 2024-11-12 or earlier, restart Versa Networks services for the changes to take effect.
  7. Click OK.

Configure IP Packet Reassembly

When an IP packet exceeds the Maximum Transmission Unit (MTU) of a network link, it is split into smaller fragments for transmission. The VOS software reassembles these fragments back into the original packet before applying policies and forwarding the packet.
 
VOS provides four configurable parameters to control how the IP reassembly engine behaves:

  • Which CPU core class performs the reassembly
  • How much packet buffer memory is allowed before reassembly is throttled (low buffer and high buffer)
  • How long incomplete fragment queues are held before being discarded

To configure IP packet reassembly:

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a VOS device in the main pane. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Others > System > Configuration > Configuration in the left menu bar. The following screen displays.

    service-options-home-v3-border.png
  4. In the Service Options section, click the edit_icon.png Edit icon. The Edit Service Options window displays.
  5. Select the IP Reassembly tab, and then enter information for the following fields.

    IP-reassembly-tab-border.png
     
    Field Description
    Max Life Time

    Enter the maximum time that an incomplete fragmentation queue is held in memory before being discarded, in seconds. Each worker thread runs a recurring stale fragment cleanup timer at this interval. When the timer fires, VOS evicts all incomplete fragment queues that have exceeded this lifetime, and frees the associated packet buffers.

    Range: 5 through 240 seconds

    Default: 15 seconds
    Low Buffer Threshold

    Enter the recovery threshold for IP fragmentation packet-buffer utilization. This parameter is only evaluated after the high buffer threshold has been crossed and the system is in memory pressure state, dropping all fragmented packets.
     When the aggregate in-use fragment table entry count drops to or below the threshold derived from this percentage of the BSD cluster mbuf pool size, VOS clears the memory pressure flag and resumes reassembly.

    Range: 1 through 100

    Default: 60
    High Buffer Threshold

    Enter the upper limit of IP fragmentation packet-buffer utilization. VOS runs a periodic timer that aggregates in-use fragment reassembly table entries across all worker threads and compares the total against a threshold derived from this percentage of the BSD cluster mbuf pool size.
    When the in-use count reaches or exceeds this threshold, VOS sets a global memory pressure flag that causes all incoming fragmented packets to be dropped across all worker threads. Reassembly does not resume until buffer utilization drops back to the low buffer threshold.

    Range: 1 through 100

    Default: 80
    Core Class

    Select a core class (traffic class) to which incoming IP-fragmented packets are steered for reassembly. When the packet dispatcher detects a fragmented packet, it assigns the packet to a worker thread belonging to the configured core class for reassembly.

    Range: c0 through c7

    Default: c7
     

    Value Description
    c0 Core Class 0, default mapped to TC0
    c1 Core Class 1, default mapped to TC1
    c2 Core Class 2, default mapped to TC2   
    c3 Core Class 3, default mapped to TC3   
    c4 Core Class 4, user-defined class
    c5 Core Class 5, user-defined class
    c6 Core Class 6, user-defined class
    c7 Core Class 7, user-defined class (default for IP reassembly)

  6. Click OK. 

Configure Session Parameters

To configure session parameters:

  1. In Director view:
    1. Select the Configuration tab in the top menu bar.
    2. Select Templates > Device Templates in the horizontal menu bar.
    3. Select an organization in the left menu bar.
    4. Select a template in the main pane. The view changes to Appliance view.
  2. Select Others > System > Configuration > Configuration in the left menu bar. The following screen displays.

    configure-sessions-main-page-v2-border.png
  3. In the Sessions section, click the edit_icon.png Edit icon.
  4. In the Edit Sessions window, enter information for the following fields.

    configure-sessions-edit-sessions2.png
     
    Field Description
    Timeout (Group of Fields)

    Define session timeout values. All session timeout values, except for Hard Session, are the idle time period in seconds. The idle timer starts when the last packet in either direction was last seen.
    • Default
    		 This field is deprecated and is not used.
    • Hard Session
    		 Total duration of a session, after which the session times out. Note that this value is not an idle timeout but rather the lifetime of a session.
    • ICMP Session

    Idle timeout for ICMP sessions.

    Default: 10 seconds
    • TCP Half Open
    		 Timeout for a TCP session after it receives a synchronize (SYN) packet and before completion of the three-way handshake.
    Default: 8 seconds
    • TCP Half Closed

    Timeout for a TCP session after it receives the first finish (FIN) packet and before it receives the second FIN packet or a reset (RST) packet.
    Default: 120 seconds
    • TCP Session

    Idle timeout for TCP sessions.

    Default: 240 seconds
    • TCP Wait

    Session idle timeout after a TCP session has received a FIN or RST packet in either direction.

    Default: 20 seconds
    • UDP Session

    Idle timeout for UDP sessions.

    Default: 30 seconds
    Flags (Group of Fields)  
    • Allow Unsupported Protocol
    		 Click to accept non-IP protocol packets. The VOS device performs an IP protocol validity check to determine the packet's protocol.
    • Check TCP SYN

    Click to reject the first packet of a TCP session if, when the TCP session is being set up, the SYN flag is not set in the first packet. To accept the first packet, ensure that this option is not selected.

    By default, the VOS device firewall rejects the first packet if the packet's SYN flag is not turned on. This security measure is taken is because normal TCP connections start with a three-way handshake, which means that if the first packet that the firewall sees is not the SYN packet, it is likely that the packet is not valid and the firewall discards it. In cases such as asymmetric routing, you might want to disable this feature.
    • Reevaluate Reverse Flow
    		 Click to reevaluate the packet policy for first packet of a reverse flow if the forward flow action is set to Drop.
    • Send ICMP Unreachable
    		 Click to send ICMP unreachable messages to a source if a route lookup fails.
    • Session Reevaluate
    		 Click to reevaluate a session when the configuration or a route changes.
    • TCP Secure Reset
    		 Click to follow the secure criteria for accepting TCP reset RST packets.
    • TCP Send Reset
    		 Click to send an RST packet to the source if the SYN flag in the first packet of a new TCP flow is not set.
    TCP MSS Adjustment (Group of Fields) Configure the maximum segment size (MSS). This is the largest packet, in bytes, that the VOS device can receive in a single TCP segment. The MSS does not include the TCP header (20 bytes) or the IP header (20 bytes).
    • Enable
    		 Click to allow the TCP MSS on an interface to be adjusted.
    • Interface Types

    Select the interface on which to set TCP MSS adjustment value:

    • All—Set on all interfaces.
    • Tunnel—Set only for the traffic that goes through the tunnel interface.
    • MSS Value

    Enter the TCP MSS value.

    Range: 512 to 8960 bytes
    Interim Update (Group of Fields) Configure interim update parameters.
    • Disable
    		 Click to disable interim updates.
    • Interim Update Interval

    Enter the time between updates.

    Range: 60 to 3600 seconds
    Log Unknown Host-Bound Packets (For Releases 22.1.3 and later.) Configure the logging of unknown packets that are destined for a VOS IP address.
    • Disable
    		 Click to disable logging.
    • Interval
    		 Enter the logging time.
    Default: 60 seconds
  5. Click OK.

Supported Software Information

Releases 20.2 and later support all content described in this article, except:

  • For Release 21.2.1, the default maximum number of sessions that a VOS device supports is automatically adjusted down or up based on the total amount of system memory.
  • Release 22.1.1 adds the IP cipher key check.
  • Release 22.1.3 adds the log unknown host-bound packets session option.