Skip to Content

How to fix traffic blocked because of exceeded session quota on traffic shaper

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes how to resolve an issue on accessing a website when it shows ‘Traffic blocked because of exceeded session quota’.

Scope

FortiOS

Solution

In this example, traffic shaping per-ip shaper is configured in FortiGate:

In this example, traffic shaping per-ip shaper is configured in FortiGate 1

In this example, traffic shaping per-ip shaper is configured in FortiGate 2

When accessing a web site, the user is not able to access it. On the web browser, it shows ‘Traffic blocked because of exceeded session quota’

When accessing a web site, the user is not able to access it. On the web browser, it shows 'Traffic blocked because of exceeded session quota’

From the debug flow, it shows ‘Denied by quota check’:

From the debug flow, it shows 'Denied by quota check':

When checking the per-ip-shaper sessions, it shows packets dropped:

When checking the per-ip-shaper sessions, it shows packets dropped.

To resolve the issue, increase the maximum concurrent sessions of traffic shaper:

FGVM # conf firewall shaper per-ip-shaper
FGVM (per-ip-shaper) # edit 50Mbps-Shaper
FGVM (50Mbps-Shaper) # set max-concurrent-session
max-concurrent-session Enter an integer value from <0> to <2097000>.
FGVM (50Mbps-Shaper) # set max-concurrent-session 100
FGVM (50Mbps-Shaper) # end

After increasing the max-concurrent-session, the user should be able to access the web site.