cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Ivo_Marques
Nickel

Connections Peak/Limit

Hi all,

I have two question about this subject:

  • Is there a way to clear the PEAK connection value?
  • When I reach the connection limit, where the firewall logs this information?

I think I read a SK article to send this information to /var/log/messages or $FWDIR/log/*.elg but I can't find it anymore.

Thanks in advance.

Ivo

0 Kudos
10 Replies

Re: Connections Peak/Limit

Hi Ivo,

You can reset connection details with following command but it will remove whole connection table.

fw tab -t connections -x

Another option is to reboot the gateway.

You can check the peak connection limit with below commands.

fw tab -t connections -s

fw ctl pstat

Ivo_Marques
Nickel

Re: Connections Peak/Limit

Hi Gaurav,

Thanks for your reply, but delete all connections or reboot the gateway it's a bit overkill.

The easist way is to upper change the connection limit, still it's not a great solution.

Ivo

0 Kudos

Re: Connections Peak/Limit

Hi,

But for reset the statistics those are the only options I think.

0 Kudos

Re: Connections Peak/Limit

As long as the maximum connection limit is set to "Automatically" on the firewall/cluster (sk105504: Traffic is dropped with "dropped by fwconn_memory_check Reason: full connections table" er... ) you should never bump into any kind of limit for the connections table, unless the system itself is low on free memory which will introduce a bunch of other problems.  The setting "Automatically" is selected by default if the firewall object is set for Gaia as the OS.

However if you have somehow reached the limit, the error message shown in the SK above will appear in the firewall logs sent to the SMS, and I think it will also be dumped into the syslog (/var/log/messages) on the firewall itself.  The Inspection Setting Aggressive Aging can be leveraged to send a "canary in the coal mine" notification that the connections table is almost full.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Ivo_Marques
Nickel

Re: Connections Peak/Limit

Hi Tim,

Ok, my enviroment is VSX! It's not possible to set "Automatically". I beleive the "reach the limit" it's not sent, by default, to /var/log/message neither to SMS Log. (As I told, I think there is an SK to do that but I can´t find it anymore.)

Aggressive Aging it's, maybe, a good solution because, for sure, it's logged on SMS logs.

Thanks for your response

0 Kudos

Re: Connections Peak/Limit

Would this be theoretically possible having Automatic calculation, that in case of, let's say, ddos attack, large amount of connections would eat up all memory and we'd lose management connection to the box or encounter another problems?

0 Kudos

Re: Connections Peak/Limit

Sure that is possible, but hitting the connections limit will deny new connections from starting through the firewall and cause problems that are noticeable to your users.  As long as Aggressive Aging is enabled (which I'm pretty sure it is by default under Inspection Settings) the firewall shouldn't get to the point of having management problems in this situation.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: Connections Peak/Limit

As per my understanding, in order to have Aggressive Aging enabled in R77.30 Management server, IPS profile has to be applied, otherwise we got this:

 

System Capacity Summary:
Memory used: 8% (501 MB out of 5687 MB) - below watermark
Concurrent Connections: 1% (2976 out of 249900) - below watermark
Aggressive Aging is disabled

 

On the gateway with enforces Default IPS profile (with inactive contract):

 

System Capacity Summary:
Memory used: 20% (267 MB out of 1318 MB) - below watermark
Concurrent Connections: 35% (17846 out of 49900) - below watermark
Aggressive Aging is not active

 

However, in R80.10 under Inspection settings Default IPS profile is applied by default on all gateways, that's why Aggressive Aging is enabled everywhere.

 

So, taking this into account, I believe, that it is not worth to go with automatic connections calculation if you have Management on 77.30.

Re: Connections Peak/Limit

Not sure if it is what you are looking for but you can generate alerts monitoring the number of connections with snmp 1.3.6.1.4.1.2620.1.1.25.3

0 Kudos

Re: Connections Peak/Limit

I think you just want to reset the statistics.

Never found any way either.

Best regards

Vince

and now to something completely different
0 Kudos