Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Robert_Mueller
Collaborator

"max concurrent sessions per connection exceeded"

Hi,

I've a problem with one connection.. in the Smartlog I get the error

2019-03-25 12_33_48-Start.png

In the settngs the connection setting is on "Automatically"

 

 fw ctl pstat

System Capacity Summary:
  Memory used: 12% (6138 MB out of 48155 MB) - below watermark
  Concurrent Connections: 30068 (Unlimited)
  Aggressive Aging is enabled, not active

 

 

What else can I do to solve this problem?

Version: GAiA R80.10

Thx

Robert

 

 

 

 

0 Kudos
10 Replies
PhoneBoy
Admin
Admin

The setting you're looking at is probably not the one referred to by this error message.
The one SK that comes up with this error message is: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Robert_Mueller
Collaborator

Mhm.. the setting is now on "0" but I a bit confused about the error message that the max. count of concurred sessions.. 

0 Kudos
PhoneBoy
Admin
Admin

I'm asking around, but I suspect you should open a TAC case so we can gather the appropriate data related to this.
0 Kudos
HristoGrigorov

Log message is coming from AC/UF blade, not the FW one. It seems there is imposed limit on number of concurrent connections that AC/UF can process.

0 Kudos
Robert_Mueller
Collaborator

sounds logical.. is there a way to raise this vaue or bypass the traffic?

0 Kudos
HristoGrigorov

Not sure. I think sk112454 might be something similar but you should probably first investigate why did you hit this limit. Are there large numbers of opened HTTP(S) connections that are stale or probably you are under some kind of DoS. Even if there is such limit it should be really high value. 

0 Kudos
Robert_Mueller
Collaborator

Hi,

Thx - yes the traffic is OK so I can be sure that this is not a DoS attack 

0 Kudos
HristoGrigorov

Yeah, may be you should ask TAC for assistance. That parsing error seems to be a problem in the software.

0 Kudos
PhoneBoy
Admin
Admin

In order to prevent DoS on the HTTP parser, we have two global (kernel) parameters that controls the number of concurrent sessions:

  • ws_max_sessions_per_conn -  The total allowed number of sessions per connection
  • ws_max_timestamped_sessions_per_conn – The maximum allowed concurrent sessions where no response have seen for it during a period of one minute.  That is, we don’t allow more than 100 concurrent requests where no response was received for any of them for one minute.

The default for these parameters is:

  • ws_max_sessions_per_conn: 200 prior to R80.30, 400 in R80.30+
  • ws_max_timestamped_sessions_per_conn: 50 prior to R80.30, 100 in R80.30+

You can increase those values on a temporary basis (using fw ctl set int) to check if issue is resolved. To permanently set these kernel variables, see: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Robert_Mueller
Collaborator

Thx... I will increase the settings, perhaps whis will solve that....

 

Thx for your support!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events