Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ED
Advisor

Limit of concurrent connections

During heavy load on your firewall busiest periods you can get connection failures I read. As mentioned in other threads on this community you can run this command to see if your firewall reached the limit:

fw tab -t connections -s

But default on new installations og Gaia it's not configured a limit nmber of concurrent connections. On your firewall object in SmartConsole it's set to automatically:

So my question is what is the limit actually set to then? My gateway has 16GB of RAM. Output of the above command:

I see that since boot up that the peak was at 21394 concurrent connections. But since I actually don't know the limit and if this is low or high what do I get out of this command? How do I know if new connections were dropped (not from firewall policy) because firewall could not keep track of the new connection? 

12 Replies
Huseyin_Rencber
Collaborator

The setting "Automatically" is selected by default if the firewall object is set for Gaia as the OS. If you want to set it manually, the settings depends on your traffic and resources. The setting affect the VPN kernel. Lets assume you have 1000+ remote users, which are connect to office network thorugh the mobile access blade, it creates multiple connections ( from user to gateway, from gateway to internal rdp server). So on the example environment you should increase the maximum concurrent connections, by default maximum is 25000, increase the limit 27000 (2 times 1000). You can read for more information >

Capacity Optimization and Connections Table 

If you set the maximum conn manually and for somehow it reached the limit , you can run the following command to check if there is dropped connection because of connection limit. 

fw ctl zdebug + drop

You may see something like that >

By the way you can can run following command to gather statistics about the connections .

fw ctl pstat

Connections:
17907 total, 2214 TCP, 10855 UDP, 21 ICMP,
4817 other, 0 anticipated, 8 recovered, 8 concurrent,
68 peak concurrent

 

*

total - Since last machine boot time.

other - Other protocols (Not TCP/UDP/ICMP)

concurrent - At the time the output was taken.

peak concurrent - Since last machine boot time.

Kaspars_Zibarts
Employee Employee
Employee

Indeed, fw ctl pstat is your friend to see connections tables. I purposely took an example from 32bit gateway as you can see that box actually has a lot of RAM  (64GB) but it can only use 4GB for connections (actually around 3GB realistically).

Just make sure usage in percentage is not high and Aggressive Aging is not active - then you are all good. And yes - automatically means that RAM will be allocated as needed for connections until exhausted. 

[Expert@fw1]# fw ctl pstat

Virtual System Capacity Summary:
Physical memory used: 15% (8285 MB out of 53867 MB) - below watermark
Kernel memory used: 8% (4512 MB out of 53887 MB) - below watermark
Virtual memory used: 15% (631 MB out of 4014 MB) - below watermark
Used: 87 MB by FW, 544 MB by zeco
Concurrent Connections: 1% (280 out of 16900) - below watermark
Aggressive Aging is not active

Edson_Adrian_Di
Participant

Hi Kaspars, hope you are fine, sorry , may i ask why aggressive aging should not be active?. from what i understand this helps to finish or close idle connections and with this free some resources from the connection table. 

Regards. 

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Hi Edson, aggressive aging gets activated only when connection table is getting full thus "cleaning" up idle connections much quicker than normally. This is to allow you to process new connections when you are near capacity. Technically it sounds a "good and helpful" feature (and it is mostly!) but I have to admit we have seen some strange behaviour when AA was active - some RDP connections over SSL did not work for example. I would say - if you see AA active, act on it, fix it, it's not a "normal" state Smiley Happy more like a workaround till you free up memory/tables

0 Kudos
ED
Advisor

Thank you guys but I still don't feel that I got answer to my questions. 

Huseyin, I don't want to set a limit but instead keep it automatically. Kaspars, it's 64 bit gateway. I have 0 failed allocations on system memory and on kernel memory. I just want to know what is the limit actually when set to automatically if possible to know. Like my example with peak at 21394 concurrent connections, what does that tell me? Was that close to maximum what the firewall could handle before starting to drop new connections? I mean I don't know the treshold and when to start to worry without waiting for the next storm and run fw ctl zdebug drop command. 

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Can't be that you were anywhere near the limit with this small number. Even with 3GB RAM you can handle nearly 300k connections (no advanced blades though)

Considering that you have 16GB and 64bit OS you shutsh be able to handle heaps more concurrent connections.

What did fw ctl pstat showed? 

Worth noting that delayed connections won't appear in connections table

0 Kudos
Huseyin_Rencber
Collaborator

Like my example with peak at 21394 concurrent connections, what does that tell me? Was that close to maximum what the firewall could handle before starting to drop new connections? I mean I don't know the treshold and when to start to worry without waiting for the next storm and run fw ctl zdebug drop command

Ok so you are asking actually how many connections can your firewall handle? For example if you set the limit automatically, when will  the firewall reach the maximum connection limit ? Like Kaspars Zibarts said, with these resources, can't be that you were anywhere near the limit with this small number. 

Maybe the appliance datasheet can help, there is statistics about conn under performance section. Perhaps you can make an inference from these datas.

ED
Advisor

Exactly, since it's set to automatic I would like to know the maximum concurrent connections limit the firewall can handle before starting to drop connections. It's an open server so I can not relate to some numbers. 

Kaspars_Zibarts
Employee Employee
Employee

You can always guestimate based on current state of fw ctl pstat

for example

System Capacity Summary:
Memory used: 9% (1175 MB out of 11845 MB) - below watermark
Concurrent Connections: 24946 (Unlimited)
Aggressive Aging is enabled, not active

You could easily rough estimate that we could run 10 times as many connections on this firewall (at current usage of 9%), so 10 x 25k = 250000

It's very hard to put exact number as it depends on blades that are enabled and NAT usage

A simple FW connection will only consume ~10kB whereas in example above you can see that each connection was ~40kB that's because IA, IPS and AB is enabled on that gateway

Smiley Happy

ED
Advisor

Thank you. I find this interesting:

Around the same memory usage in percent but very different numbers in connections. So based on a rough calculation

10 x 7k = 70 000. Several blades are enabled. 

PhoneBoy
Admin
Admin

The actual amount of memory a connection takes up depends on the blades in use.

We used to have a public SK that explained memory usage, but I think it's internal only now. 

IPv6 uses more memory also Smiley Happy

Kaspars_Zibarts
Employee Employee
Employee

Indeed! I was trying to find that SK but failed miserably  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events