topic Re: Connections Peak/Limit in General Topics

Connections Peak/Limit

Ivo_Marques — Tue, 30 Jan 2018 11:49:38 GMT

Hi all,

I have two question about this subject:

Is there a way to clear the PEAK connection value?
When I reach the connection limit, where the firewall logs this information?

I think I read a SK article to send this information to /var/log/messages or $FWDIR/log/*.elg but I can't find it anymore.

Thanks in advance.

Ivo

Re: Connections Peak/Limit

Gaurav_Pandya — Tue, 30 Jan 2018 13:08:04 GMT

Hi Ivo,

You can reset connection details with following command but it will remove whole connection table.

fw tab -t connections -x

Another option is to reboot the gateway.

You can check the peak connection limit with below commands.

fw tab -t connections -s

fw ctl pstat

Re: Connections Peak/Limit

Timothy_Hall — Tue, 30 Jan 2018 13:33:19 GMT

As long as the maximum connection limit is set to "Automatically" on the firewall/cluster (sk105504: Traffic is dropped with "dropped by fwconn_memory_check Reason: full connections table" error ) you should never bump into any kind of limit for the connections table, unless the system itself is low on free memory which will introduce a bunch of other problems. The setting "Automatically" is selected by default if the firewall object is set for Gaia as the OS.

However if you have somehow reached the limit, the error message shown in the SK above will appear in the firewall logs sent to the SMS, and I think it will also be dumped into the syslog (/var/log/messages) on the firewall itself. The Inspection Setting Aggressive Aging can be leveraged to send a "canary in the coal mine" notification that the connections table is almost full.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: Connections Peak/Limit

Ivo_Marques — Tue, 30 Jan 2018 14:00:10 GMT

Hi Gaurav,

Thanks for your reply, but delete all connections or reboot the gateway it's a bit overkill.

The easist way is to upper change the connection limit, still it's not a great solution.

Ivo

Re: Connections Peak/Limit

Ivo_Marques — Tue, 30 Jan 2018 14:05:41 GMT

Hi Tim,

Ok, my enviroment is VSX! It's not possible to set "Automatically". I beleive the "reach the limit" it's not sent, by default, to /var/log/message neither to SMS Log. (As I told, I think there is an SK to do that but I can´t find it anymore.)

Aggressive Aging it's, maybe, a good solution because, for sure, it's logged on SMS logs.

Thanks for your response

Re: Connections Peak/Limit

Luis_Miguel_Mig — Tue, 30 Jan 2018 14:19:40 GMT

Not sure if it is what you are looking for but you can generate alerts monitoring the number of connections with snmp 1.3.6.1.4.1.2620.1.1.25.3

Re: Connections Peak/Limit

Vincent_Bacher — Tue, 30 Jan 2018 21:10:29 GMT

I think you just want to reset the statistics.

Never found any way either.

Best regards

Vince

Re: Connections Peak/Limit

Gaurav_Pandya — Wed, 31 Jan 2018 12:32:55 GMT

Hi,

But for reset the statistics those are the only options I think.

Re: Connections Peak/Limit

Maria_Pologova — Thu, 08 Nov 2018 17:11:02 GMT

Would this be theoretically possible having Automatic calculation, that in case of, let's say, ddos attack, large amount of connections would eat up all memory and we'd lose management connection to the box or encounter another problems?

Re: Connections Peak/Limit

Timothy_Hall — Fri, 09 Nov 2018 13:16:50 GMT

Sure that is possible, but hitting the connections limit will deny new connections from starting through the firewall and cause problems that are noticeable to your users. As long as Aggressive Aging is enabled (which I'm pretty sure it is by default under Inspection Settings) the firewall shouldn't get to the point of having management problems in this situation.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: Connections Peak/Limit

Maria_Pologova — Mon, 12 Nov 2018 09:44:53 GMT

As per my understanding, in order to have Aggressive Aging enabled in R77.30 Management server, IPS profile has to be applied, otherwise we got this:

System Capacity Summary:
Memory used: 8% (501 MB out of 5687 MB) - below watermark
Concurrent Connections: 1% (2976 out of 249900) - below watermark
Aggressive Aging is disabled

On the gateway with enforces Default IPS profile (with inactive contract):

System Capacity Summary:
Memory used: 20% (267 MB out of 1318 MB) - below watermark
Concurrent Connections: 35% (17846 out of 49900) - below watermark
Aggressive Aging is not active

However, in R80.10 under Inspection settings Default IPS profile is applied by default on all gateways, that's why Aggressive Aging is enabled everywhere.

So, taking this into account, I believe, that it is not worth to go with automatic connections calculation if you have Management on 77.30.