Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jason_Carrillo
Collaborator
Jump to solution

Aggressive Aging

TL;DR How does one determine if a connection entry was purged because Aggressive Aging?

Apologies if this has been answered previously, but I'm struggling to find information about how to track down when aggressive aging has occurred. I know that "fw ctl pstat" will tell me if it is active but is there a way to track down if it has happened recently. 

We have some connections that are getting registered as out of state and I'd like to try and determine if they are the result of TCP start timeouts, TCP session timeouts or aggressive aging timeouts. 

Some of them are easy to determine. Couple minutes after an accept, you get an ACK dropped out of state, probably the start timeout. Couple hours after an accept, you get out of state drops on the same port combinations, probably a session. 

But the forty minute after accept drops for the same port combination are the ones that are stumping me.  Within the session timeouts, way too far out to be a start timeout (unless something is REALLY wrong with our wireless network) but within the range of the Aggressive Aging settings.

Our connection limit is set to Automatic and the firewall itself doesn't seem to be under too much load. 

0 Kudos
2 Solutions

Accepted Solutions
Kaspars_Zibarts
Employee Employee
Employee

Just search in smartlog, see attached screenshot

View solution in original post

Sascha_Bremshey
Contributor

In case you don't want to download and open the screenshot:

Search term "aggressive_aging_general" is used.

 

View solution in original post

0 Kudos
5 Replies
Kaspars_Zibarts
Employee Employee
Employee

Just search in smartlog, see attached screenshot

Jason_Carrillo
Collaborator
Perfect! Thank you. No sign of those logs in my walls, so AA doesn't appear to be the culprit.
0 Kudos
Sascha_Bremshey
Contributor

In case you don't want to download and open the screenshot:

Search term "aggressive_aging_general" is used.

 

0 Kudos
KostasGR
Advisor

Hello 

By default when the connection table reaches 80% of its capacity the anti-Dos mechanism agressive aging takes place.

Has anyone configured a snmp trap mechanism in order to get  a notification if capacity of connection table reaches 70% for example?

BR,

Kostas

0 Kudos
pjoseph
Explorer

Yes - we have set it to 45% to ensure we're capable of full site failover.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events