Per-session VRF and IPv6

Similar Messages

• Per session QoS for LNS

  We have some LNSs running 12.4 SP Services, running with the following config (qos specific lines and currently not working):
  class-map match-all voice-signaling
  match access-group 101
  class-map match-all voice-traffic
  match access-group 102
  policy-map sub-policy
  class voice-traffic
  priority 240
  class voice-signaling
  bandwidth 16
  policy-map XXX_qos-voice
  class class-default
  shape average 256000
  fair-queue
  service-policy sub-policy
  interface Virtual-Template1
  ip unnumbered Loopback0
  ip mroute-cache
  no peer default ip address
  ppp authentication chap
  no clns route-cache
  access-list 101 remark -- SCCP/H323/MGCP/SIP --
  access-list 101 permit tcp any any range 2000 2002
  access-list 101 permit tcp any any eq 1720
  access-list 101 permit tcp any any range 11000 11999
  access-list 101 permit udp any any eq 2427
  access-list 101 permit udp any any eq 4569
  access-list 101 permit udp any any eq 5036
  access-list 101 permit udp any any eq 5060
  access-list 102 remark -- RTP Traffic --
  access-list 102 permit udp any any range 16384 32767
  in the feature set for the IOS currently running it suggests this configuration should work, however it will not apply the policy via the Cisco-AVPair command (the command is visible via the debug AAA per user so radius is working, even when we test it by applying the service-policy to the actual virtual-template it errors saying it will only work on an MPL bundle. From what I have read it is suggested that even though this feature is supposed to work, it does not in practice and an upgrade to a feature set which includes QoS:per session shaping and queueing on LNS is needed.
  If anyone has any experience of the or has any suggestion of if we can achieve our QoS for voice per session with the current IOS that would be great.

  This feature is not related to the NPE type. This feature is performance impacting so you should do some tests to see if your NPE-400 can support the number of L2TP tunnels you want with this feature enabled. If it's not the case, you will have to upgrade your NPE.
  HTH
  Laurent.

• Lion 10.7.2 On both mac book pro and iMac, both with Lion 10.7.2, obtain repeated iCal event notifications from calendar or address book.  Cannot turn these off.  They repeat several times per session and every time computer is used.  How to diagnose this

  Lion 10.7.2 On both mac book pro and iMac, both with Lion 10.7.2, obtain repeated iCal event notifications from calendar or address book.  Cannot turn these off.  They repeat several times per session and every time computer is used.  How to diagnose this?

  First, uninstall "SuperTV" (whatever that is) according to the developer's instructions. It isn't working and it's filling the log with noise.
  If you have more than one user account, these instructions must be carried out as an administrator.
  Launch the Console application.
  Step 1
  Make sure the title of the Console window is All Messages. If it isn't, select All Messages from the SYSTEM LOG QUERIES menu on the left.
  Enter "BOOT_TIME" (without the quotes) in the search box. Note the timestamps of those log messages, which refer to the times when the system was booted. Now clear the search box and scroll back in the log to the last boot time when you had the problem. Post the messages logged before the boot, while the system was unresponsive or was failing to shut down. Please include the BOOT_TIME message at the end of the log extract.
  Post the log text, please, not a screenshot. If there are runs of repeated messages, post only one example of each. Don’t post many repetitions of the same message. When posting a log extract, be selective. In most cases, a few dozen lines are more than enough.
  PLEASE DO NOT INDISCRIMINATELY DUMP THOUSANDS OF LINES FROM THE LOG INTO A MESSAGE. If you do that, I will not respond.
  Important: Some private information, such as your name, may appear in the log. Edit it out by search-and-replace in a text editor before posting.
  Step 2
  Still in Console, look under System Diagnostic Reports for crash or panic logs, and post the most recent one, if any. In the interest of privacy, I suggest you edit out the “Anonymous UUID,” a long string of letters, numbers, and dashes in the header of the report, if present (it may not be.) Please don’t post shutdownStall, spin, or hang logs — they're very long and not helpful.

• Public and Authenticated App with Authorization Scheme once per session

  I have a question . . .
  Let's say I have an application and at the application level I have an authorization scheme (auth1). If auth1 is set up to evaluate once per session, does it authenticate for the public user, then pass me back to the page and then check then evaluate the auth1 scheme. Or does it evaluate the auth1 scheme, then log in, then return to the page. Is it the same regardless of authentication scheme (e.g. Oracle SSO).
  It may make a big difference. If the authorization sheme is based upon the user (most will be) then setting it to evaluate once per session can be a real problem. If it evaluates before the user logs in, then it won't really work.
  This is an even bigger question when the application does not have a authorization scheme at the application level and allows public pages. If a page that is not public has an authorization scheme set, and the user goes directly to that page, it seems to authenticate the authorization scheme and then logs you in, but does not re-evaluate authorization scheme after you are logged in. Is this accurate? I realize that I could set it up to evaluate for every page view, but I really only need it once after login.
  Is this clear?

  Anton,
  It seems that all authorization schemes that are set to evaluate once per session are evaluated with the beginning establishment of a session.Sort of correct. Authorization schemes don't get evaluated until the component that uses them is considered for rendering or processing. So if the authorization scheme is attached to a page, it won't fire until the page is requested. If another component uses that scheme first, the evaluation will happen then and will not happen again during the session.
  What if I have another page that is not public. If it is the first page I go to, what happens. Obviously, I get redirected to login, then login. Do the authorization schemes get evaluated at this point?Yes, assuming the authorization scheme is used by the page, the scheme is evaluated during the first rendering or processing of the page in the session, after the authentication step.
  Now, what if I have a page that is public, but also has an auth scheme (odd, but could happen). Now what happens, does the auth scheme get evaluated before or after login?During the rendering or processing of the page after the authentication step. For a public page, the authentication step is performed up to the point where it determines that no authentication is required.
  OK, now let's add in Application level auth scheme. I can have public or private pages. If I go to a private page, when does the app level auth scheme kick in? How about for a public page?When an application uses an authorization scheme, it gets evaluated before the authorization scheme (if any) for the page that is being requested, so the public/private property of the page doesn't matter.
  General advice: when an authorization scheme uses :APP_USER, it doesn't work well to have it fire once per session because it'll get run before authentication to the application occurs, which sets APP_USER. You can have such schemes fire once per page view and for PL/SQL function-type schemes, have them give a "pass" when the current page is the login page, that kind of thing.
  In addition, if the overhead of running a scheme is high, one can set an application-level item to indicate that a once-per-page scheme has already run satisfactorily. The PL/SQL-type schemes can access the value of such an item to skip the expensive part of the evaluation and return true immediately.
  Finally, the htmldb_application.reset_security_check API can be called in order to reset the "fired" status of all authorization schemes in the session, allowing them to be re-evaluated if/when they are encountered again in the session.
  Hope this helps,
  Scott

• Get report on ingress and egress ipsec traffic size per session

  Hi,
  I am looking for advice on how to best get the ingress and egress byte counts per VPN session.   I have a netflow appliance which gives me aggregated data, but I am looking for the best way to get byte size in and out per session.  I am using VPN on a Cisco IOS router (2811).
  Thanks.

  by the way there is simultaneously no B2B credits deficit on the corresponding fc port and no drops on it observed.

• Session pooling and statement handles

  Hi there,
  I have a large multi-threaded application (perhaps >100 threads). Each thread is continuously processing events (very high volumes) which involves some manipulation and some database operations (from a fixed set of possible operations).
  I am using session pooling but what I want to know is, Should I:
  (a) Prepare my fixed set of statement handles up front at program start-up when I'm creating the session pool and then reuse the statement handles in each event processing thread (also, is this thread safe ? even if it is, all threads would be contending on the same statement handles)
  or
  (b) Prepare the statement handle for each event which presumably will exploit the statement cache on the session pool. This would also mean not having statement handles shared between threads thus removing any thread contention issues.
  I think (b) is the option for me, but does anyone have any thoughts ?

  With a), one would think it's OK, but I would hate to find out that it's not thread safe by accident.
  But anyway, with b) the cost of allocating private statement handles in each thread seems very low. The memory required for the statement handle plus its bind and define handles could very well be below 8k per statement. If you've got say, 5 statements * 100 threads, you're only looking at around 4MB overall.
  Finally, you might want to make sure that the session pool statement cache is working by checking the values for 'executions' and 'parse_calls' in V$SQL for your statements.

• Windows 8.1 MDM not responding to more than one SyncML from MDM server per session

  Here is the behaviour i see, which was not expected by Windows 8.1.
  1) Device is enrolled
  2) Client initiates the connection with the MDM server defined in provisioning XML during enrollment.
  3) MDM Server sends some commands as a SyncML response.
  4) Client accepts the commands and sends Status and results.
  5) Again MDM Server sends some commands as a SyncML response.
  6) Client doesn't respond to these commands or not sending any SyncML. Here is the problem that i am referring to.
  We are capturing the traffic in fiddler and found that device is not sending the next request where we are expecting the status for these commands. 
  The same is being repeated in all the requests client initiates. DM Client responds back only for one syncML sent by the MDM server per session.
  Is this the expected behaviour with Windows 8.1? Or are we doing something wrong to see this behaviour?
  Below is the SyncML for which I am expecting the response from the DM client. (Note: I got the response for the same SyncML in the first connection, but not in the second.)
  <SyncML xml:lang="en" xmlns="syncml:SYNCML1.2">
    <SyncHdr>
      <VerDTD>1.2</VerDTD>
      <VerProto>DM/1.2</VerProto>
      <SessionID>1</SessionID>
      <MsgID>1</MsgID>
      <Target>
        <LocURI>0</LocURI>
      </Target>
      <Source>
        <LocURI>https://####</LocURI>
        <LocName>AfariaWinPhoneProvider</LocName>
      </Source>
      <RespURI>https://####</RespURI>
    </SyncHdr>
    <SyncBody>
      <Status>
        <CmdID>1</CmdID>
        <MsgRef>2</MsgRef>
        <CmdRef>0</CmdRef>
        <Cmd>SyncHdr</Cmd>
        <TargetRef>https://####</TargetRef>
        <SourceRef>0</SourceRef>
        <Data>200</Data>
      </Status>
      <Get>
        <CmdID>2</CmdID>
        <Item>
          <Target>
            <LocURI>./cimv2/Win32_ComputerSystemProduct</LocURI>
          </Target>
        </Item>
      </Get>
      <Final />
    </SyncBody>
  </SyncML>

  Hello Sreekanth,
  I am facing similar issue, here is the behaviour description:
  1) Device is enrolled
  2) Client initiates the connection with the MDM server defined in provisioning XML during enrollment.
  3) MDM Server sends some commands as a SyncML response.
   4) Client doesn't respond to these commands or not sending any SyncML. 
  The same is being repeated in all client request. 
  Below is the SyncML
  for which I am expecting the response from the DM client:
  <SyncML xmlns="SYNCML:SYNCML1.2">
      <SyncHdr>
          <VerDTD>1.2</VerDTD>
          <VerProto>DM/1.2</VerProto>
          <SessionID>1</SessionID>
          <MsgID>1</MsgID>
          <Target>
              <LocURI>9302116</LocURI>
          </Target>
          <Source>
              <LocURI>https://#####</LocURI>
          </Source>
      </SyncHdr>
      <SyncBody>
          <Status>
              <CmdID>1</CmdID>
              <MsgRef>1</MsgRef>
              <CmdRef>0</CmdRef>
              <Cmd>SyncHdr</Cmd>
              <TargetRef>9302116</TargetRef>
              <Data>212</Data>
          </Status>
          <Status>
              <CmdID>2</CmdID>
              <MsgRef>1</MsgRef>
              <CmdRef>2</CmdRef>
              <Cmd>Alert</Cmd>
              <Data>200</Data>
          </Status>
          <Status>
              <CmdID>3</CmdID>
              <MsgRef>1</MsgRef>
              <CmdRef>3</CmdRef>
              <Cmd>Replace</Cmd>
              <TargetRef>./devinf12</TargetRef>
              <Data>200</Data>
          </Status>
          <Get>
              <CmdID>75</CmdID>
              <Item>
                  <Target>
                      <LocURI>./DevDetail/SwV</LocURI>
                  </Target>
              </Item>
          </Get>
      </SyncBody>
  </SyncML>
  Here
  we had tried sending 
   <Target>
              <LocURI>0</LocURI>
          </Target>
  But it didn't worked.

• VRF and FTP Server

  I have a weird problem with VRF and FTP Server. I have a lab setup whereby two VRFs Client1 and Client2 are created. Both the VRFs are in the same subnet. I have configured FTP-Server and TFTP-Server on this router. TFTP-Server works perfectly fine from both the networks. But for FTP-Server, I can login in to the FTP Server and authenticate positively. But when I try to do listing of directory, it gives a error "can't bind data".
  The web access to this router also works perfectly fine.
  Any idea why FTP fails.
  Before configuring vrf, the FTP server did work fine.
  Any idea why. here's the config :
  interface FastEthernet0/0.371
  description Client1
  encapsulation dot1Q 371
  ip vrf forwarding client1
  ip address 10.0.1.1 255.255.255.0
  interface FastEthernet0/0.372
  description Client2
  encapsulation dot1Q 372
  ip vrf forwarding client2
  ip address 10.0.1.1 255.255.255.0

  Ohhhhhhhh!!!
  I'm even more convinced its a passive/active problem with the ftp control channel. Did you try the gentleman's suggestion of passive ftp?? What's happening is that from a client on one vrf, you're attempting to terminate the ftp session in a router whom is in the second vrf. The ftp data session isn't vrf-aware from the sound of it, hence my question about what device models and IOS you're using.
  But I agree, it's getting complicated enough that sounds like TAC-time. My bet is something isn't vrf-aware to the point that the data is lost. For instance, to ping from one device to another from _within_ a vrf router instance, you have to use the keyword "vrf" like "ping vrf VRF_Name src dest".
  In your situation, your source is on one vrf while the destination is _within_ the second vrf, not just simply the IP packet being routed from vrf1-client (like a Windows PC) to vrf2-server (like a Unix ftp server).
  I'd be interested in hearing their solution.
  -Jeff

• Upgraded to Lion, CS3 programs will only let me open 1 photo per session, what gives?

  Just upgraded to Lion from Snow Leopard. Now my CS3 Creative Suite programs will only let me open one picture per session. I then have to completely close out of photoshop or illustrator or whatever and reopen to open another picture. Any suggestions before I have to take my computer to the apple store.

  http://roaringapps.com/ show some people having problems with various things. Have you tried reinstalling CS3? If that doesn't work, restore from a backup if needed to stay in production until a solution or an upgrade can be worked out.
  I'm not sure the Apple Store will troubleshoot 3rd party software that is 3 versions old.

• Once per session, connected anyway

  I have an authentication scheme that is set to once per session. The users are defined in oid and have to logon using sso.
  So far so good. But in following scenario it goes wrong.
  1. User enters the htmldb url
  2. User gets the logon screen from sso
  3. User logs in and is than forwarded to the application where the authorisation scheme says him he has no access and he is redirected to a public page that tells him this.
  4. the user presses the 'Back' key on the browser, so he gets the login screen again.
  5. he enters again his username and password, and enters.
  -> now he is logged in and gets the screen he is not allowed to.
  What goes wrong here? Why does the session not remember that this user has no access ?
  Grtz,
  Chris.

  Scott,
  The solution of htmldb_util.reset_authorizations works fine. But in the end we choose another option.
  We are using the error page now to display wether the user has no access to the application. It looks like the user has access to the error pag even if he has no access to any of the application pages. Now it works fine.
  Now the authorization also returns false.
  Tnx for the replies,
  Chris.

• Cisco IOS Zone Based Firewall and IPv6

  Hello,
  I am trying to setup IPv6 tunnel to tunnel-broker Hurrican Electrics. IPv6 connection is working OK only if I disable zone security on WAN interface (Fe0 - IPv4 interface).
  Which protocols must be alloved to and from router?
  IOS version: 15.1.2T1 (Adv.ip services)
  Setup:
  HE (tunnel-broker)  --- Internet (IPv4)  ---- Cisco 1812 (Fe0 (IPv4) and interface tunnel 1 (IPv6))
  Config on router:
  IPv4 (self to internet and internet to self)
  policy-map type inspect Outside2Router-pmap
  class type inspect SSHaccess-cmap
    inspect
  class type inspect ICMP-cmap
    inspect
  class type inspect IPSEC-cmap
    pass
  class type inspect Protocol41-cmap
    pass log
  class class-default
    drop
  interface Tunnel1
  description Hurricane Electric IPv6 Tunnel Broker
  no ip address
  zone-member security IPv6tunnel
  ipv6 address 2001:47:25:105B::2/64
  ipv6 enable
  ipv6 mtu 1300
  tunnel source FastEthernet0
  tunnel mode ipv6ip
  tunnel destination xxx.66.80.98
  interface FastEthernet0
  description WAN interface
  ip address xxx.xxx.252.84 255.255.0.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  zone-member security WAN
  duplex auto
  speed auto
  zone-pair security IPv6Tunnel_2_WAN source IPv6tunnel destination WAN
  service-policy type inspect IPv6-out-pmap
  zone-pair security WAN_2_IPv6tunnel source WAN destination IPv6tunnel
  service-policy type inspect IPv6-out-pmap
  policy-map type inspect IPv6-out-pmap
  class type inspect IPv6-internet-class
    inspect
  class class-default
    drop
  class-map type inspect match-all IPv6-internet-class
  match protocol tcp
  match protocol udp
  match protocol icmp
  match protocol ftp
  ipv6 route ::/0 Tunnel1
  ipv6 unicast-routing
  ipv6 cef
  parameter-map type inspect v6-param-map
  ipv6 routing-header-enforcement loose
  sessions maximum 10000

  OK, removed the cmap the packet was getting dropped on, so the current self to wan zone-pair policy map looks like this:
  policy-map type inspect pm-selftowan
  class type inspect cm-selftowan-he-out
    inspect
  class type inspect cm-dhcpwan
    pass
  class class-default
    drop
  class-map type inspect match-all cm-selftowan-he-out
  match access-group name HETunnelOutbound
  ip access-list extended HETunnelOutbound
  permit 41 any any
  permit ip any host 64.62.200.2
  permit ip any host 66.220.2.74
  permit ip any host 216.66.80.26
  Now we see the same error, just on the 'new' first cmap in the pmap:
  *Oct  5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session :0 216.66.80.26:0 on zone-pair selftowan class cm-selftowan-he-out due to  Invalid Segment with ip ident 0
  Yet as you can see above, we are allowing proto 41 any any.
  I didn't expect any other result really since the previous cmap had 'permit ip any any' but still
  any ideas?
  Thanks,
  //TrX
  EDIT: Out of curiosity after reading this post: https://supportforums.cisco.com/thread/2043222?decorator=print&displayFullThread=true
  I decided to change the outbound cm-selftowan-he-out action to 'pass'.
  I suddently noticed the following log:
  *Oct  5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session  216.66.80.26:0 :0 on zone-pair wantoself class  cm-wantoself-he-in due to  Invalid Segment with ip ident 0
  Notice this is now inbound having trouble where as before was outbound.
  I changed the inbound pmap policy for cmap cm-wantoself-he-in to pass also and IPv6 PACKETS ARE GETTING ICMP6 REPLIES FROM GOOGLE!
  Looking at the original outbound PMAP:
  policy-map type inspect pm-selftowan
  class type inspect cm-selftowan
    inspect
  class type inspect cm-selftowan-he-out
    inspect
  class type inspect cm-dhcpwan
    pass
  class class-default
    drop
  cm-selftowan has always been infront of cm-selftowan-he-out, and because that is ip any any, it has been 'grabbing' the IP proto 41 packets and doing ip inspect on them (which fails as it seems ip inspect only handles a handful of proto's).
  This is why setting cm-selftowan-he-out and cm-wantoself-he-in both to 'pass' instead of 'inspect' in the past has not been doing anything, because the outbound packets were never getting to the cm-selftowan-he-out cmap.
  Would never have got to this without ip inspect log. Why didn't I think of just trying ip inspect logging two days ago!
  Anyway, thank you, I have now restored my faith in my own knowledge of ZBF!
  Hope this helps the OP too
  //TrX

• Web service request ....one db connection per session OR all share one...

  in servlet i use
  public void init(ServletConfig config) throws ServletException { }
  so it only gets the db connection once per session
  now that I am working on a web service....im not sure how to do something similiar
  I want to either have all request coming in to use the same ONE connection OR maybe one created per session
  I have way too many web service requests and it creates too many jdbc connections....what can i do to pervent this?
  I dont care if they have to wait longer;
  I just want to cut down the number of jdbc connections to 1 to 2
  any help appreciated, thanks

  You want to use a connection pool. If you just use one connection, your web users are likely to be waiting on the availabilty of the connection. A pool will let you set whatever maximum you want; 1 or 100...
  There are a number of database connection pooling options. One of the morepopular is DBCP, part of the Apache project, which is free and open source.
  http://jakarta.apache.org/commons/dbcp/
  There are other such "drop in" poolers and some database vendors are now supplying connection pooling in their drivers.

• Start systemd --user once after first login, not per session?

  Hey guys,
  So I've been toying around with using systemd to manage user daemons and some oneshot processes, it seems like it could be really nice
  Here's what I'm thinking I would like to do:
  I would have two user targets, `console.target` and `graphical.target`.
  The console target will start things like pulseaudio, ssh-agent (envoy), transmission, stuff like that.
  The graphical target will start xorg and then other things like the WM, set the wallpaper.. you get the idea. Obviously the graphical target will want the console target.
  Now, the part I wanted to get some feedback on is this: I would like a systemd --user instance to only be started once after my first login, not once per session.
  So for example, I login from vt1 and it brings systemd --user up to the graphical.target. Then if I later SSH in from somewhere, it won't start a new systemd --user session (Ie, won't start pulse-audio, transmission-daemon, etc).
  However, if I haven't logged into my machine yet and I SSH in, it will start up systemd --user and will start the console.target. If I then later login via vt1 it will see that there's already a systemd --user session started and start the graphical.target
  Does this make sense? Is it a bad idea?

  You could make a column in the database, and when the
  information is set (emailed) make the value to be 0, then when they
  first register use a IF recodset("column_name") = 0 Then
  reponse.redirect("filloutpage.asp") end if, then when they fill out
  the info have a hidden form field thats updates the value to 1. on
  the login page after the first if make another IF
  recordset("column_name") = 1 Then response.redirect("index.asp")
  end if.
  i have forms that have three different redirect based on user
  input, and you could do the same thing you could add the one for
  the first time to dw made code, here is an example, you could
  change the request.form to a recordset value and it will work.
  If Request.Form("select") = "Self" Then
  MM_editRedirectUrl = "FridaySchedule.asp"
  Response.Redirect(MM_editRedirectUrl)
  End IF
  If Session("MM_AdminEdit") = "True" Then
  MM_editRedirectUrl = "FridayScheduleAdmin.asp"
  Response.Redirect(MM_editRedirectUrl)
  End IF
  MM_editRedirectUrl = "FridayScheduleDept.asp"
  If (Request.QueryString <> "") Then
  If (InStr(1, MM_editRedirectUrl, "?", vbTextCompare) = 0)
  Then
  MM_editRedirectUrl = MM_editRedirectUrl & "?" &
  Request.QueryString
  Else
  MM_editRedirectUrl = MM_editRedirectUrl & "&" &
  Request.QueryString
  End If
  End If
  Response.Redirect(MM_editRedirectUrl)

• Per Session Maximum Message Limit

  I have a front-end messaging server that would need to feed the messages to an Anti Spam System before these messages could be further relayed to their respective destinations/back-end messaging server.
  The Anti Spam System has a certain limit in number of messages it could receive/process per session. So, I would like to set a per session limit in the number of messages my front-end messaging server can send to the Anti Spam System in order not to have long queue at the front-end messaging server due to the receiving/processing limit set in the Anti Spam System.
  The exact version of my messaging server here is iPlanet Messaging Server 5.2 HotFix 1.21. Please advise on how could I achieve this objective of mine.

  Could you please explain the below sentence as stated in SUN documentation? =========================================
  If the option accepts an integer value, a base may be specified using notation of the form b%v, where b is the base expressed in base 10 and vb. =========================================
  For example, if I would like to set "ATTEMPT_TRANSACTIONS_PER_SESSION" to 15 messages, how do I set it based on the above highlighted sentence from SUN documentation?

• Is open_cursors per session or user?

  I'm getting a lot of ORA-01000 in error logs on my app servers. 8i documentation states that:
  "OPEN_CURSORS determines the maximum number of cursors per user."
  but I suspect this is a typo and should be per session, an extremely relavant difference when multiple app servers are connecting to DB w/common username.
  does Oracle actually track open cursors across all active sessions for a given username or is it per session like most parameters?

  It must be per session,
  You can resolve the problem by increasing the parameter to 2500 as it cotrolls maximum allowed.