topic Re: What is "Drop-reason of FW = Capacity"? in Firewall and Security Management

What is "Drop-reason of FW = Capacity"?

SteveM — Fri, 03 Jan 2025 12:32:53 GMT

Hi all, we're replacing EOL 15000 series FWs with 6000 series. The configurations are largely identical (using ClusterXL in active/standby) and the replacement FWs are sized correctly. We've had several failed migration attempts to the new Firewalls - all acceptance tests complete succesfully, yet when production traffic starts to return to normal levels following end of the outage window, poor performance is observed.

According to CPVIEW, there are a high number of drops due to "Capacity" - yet nowhere can I find what this relates to. It can't be CPU or interface, since these are nowhere near maximum. Does anyone know what can cause drops due to "capacity"? This counter can be seen to incremement at a high rate and having ruled everything else out, it would appear this is the cause of the perceived performance issues.

Re: What is "Drop-reason of FW = Capacity"?

AkosBakos — Fri, 03 Jan 2025 12:36:41 GMT

Hi @SteveM

Where do you see this in CPVIEW? Can you attach a screenshot? Just blur the sensitive info.

Akos

Re: What is "Drop-reason of FW = Capacity"?

Timothy_Hall — Fri, 03 Jan 2025 12:39:34 GMT

Probably memory, look at the first few output lines of fw ctl pstat for capacity statistics. Make sure that connection table size is set to "automatically" on your gateway/cluster object, and not still set to a manual limit which was the only option in the SecurePlatform/IPSO days (and still required for VSX).

Re: What is "Drop-reason of FW = Capacity"?

AkosBakos — Fri, 03 Jan 2025 12:41:33 GMT

Hi @Steve_Pearson

And of course we need some info more:

what is the version (version + take)
Do you see any interesting in /var/log/messages
dynamic balancing is enabled?
in you do a manual failover, the problem arise on site B too?
what kind of traffic affected?

Akos

Re: What is "Drop-reason of FW = Capacity"?

SteveM — Fri, 03 Jan 2025 12:43:18 GMT

Re: What is "Drop-reason of FW = Capacity"?

SteveM — Fri, 03 Jan 2025 12:50:01 GMT

Memory doesn't exceed 32%, but the concurrent connection table is set to 25000 limit on the new Cluster object - but automatic on the old FWs. It looks like this could be the cause - according to CPVIEW, the concurrent connections never exceeds 24,720. Thank you!!

Re: What is "Drop-reason of FW = Capacity"?

the_rock — Fri, 03 Jan 2025 13:38:28 GMT

That could be your issue, just change it to automatic, as thats best setting, since it lets firewall auto calculate the usage. Install policy, test.

Andy

Re: What is "Drop-reason of FW = Capacity"?

the_rock — Fri, 03 Jan 2025 13:48:26 GMT

I would also check bottom setting.

Enable or disable firewall drop optimization to improve gateway resource consumption during periods of heavy traffic load. Let SecureXL handle traffic that the firewall policy determines should be dropped.

Not enabling this option means that only Allowed connections are off loaded to SecureXL, leaving the gateway to handle connections that should be dropped or rejected.

Andy