This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jason_Carrillo
Collaborator
‎2019-03-29 09:35 AM
Jump to solution

Aggressive Aging

TL;DR How does one determine if a connection entry was purged because Aggressive Aging?

Apologies if this has been answered previously, but I'm struggling to find information about how to track down when aggressive aging has occurred. I know that "fw ctl pstat" will tell me if it is active but is there a way to track down if it has happened recently. 

We have some connections that are getting registered as out of state and I'd like to try and determine if they are the result of TCP start timeouts, TCP session timeouts or aggressive aging timeouts. 

Some of them are easy to determine. Couple minutes after an accept, you get an ACK dropped out of state, probably the start timeout. Couple hours after an accept, you get out of state drops on the same port combinations, probably a session. 

But the forty minute after accept drops for the same port combination are the ones that are stumping me.  Within the session timeouts, way too far out to be a start timeout (unless something is REALLY wrong with our wireless network) but within the range of the Aggressive Aging settings.

Our connection limit is set to Automatic and the firewall itself doesn't seem to be under too much load. 

0 Kudos
2 Solutions

Accepted Solutions
Kaspars_Zibarts
Employee Employee
Employee
‎2019-03-29 11:37 AM
Jump to solution

Just search in smartlog, see attached screenshot

View solution in original post

Preview file
492 KB
Sascha_Bremshey
Contributor
‎2021-04-12 11:55 PM
In response to Kaspars_Zibarts
Jump to solution

In case you don't want to download and open the screenshot:

Search term "aggressive_aging_general" is used.

 

View solution in original post

0 Kudos
5 Replies
Kaspars_Zibarts
Employee Employee
Employee
‎2019-03-29 11:37 AM
Jump to solution

Just search in smartlog, see attached screenshot

Preview file
492 KB
Jason_Carrillo
Collaborator
‎2019-03-29 11:39 AM
In response to Kaspars_Zibarts
Jump to solution

Perfect! Thank you. No sign of those logs in my walls, so AA doesn't appear to be the culprit.
0 Kudos
Sascha_Bremshey
Contributor
‎2021-04-12 11:55 PM
In response to Kaspars_Zibarts
Jump to solution

In case you don't want to download and open the screenshot:

Search term "aggressive_aging_general" is used.

 

0 Kudos
KostasGR
Advisor
‎2021-08-04 07:41 AM
Jump to solution

Hello 

By default when the connection table reaches 80% of its capacity the anti-Dos mechanism agressive aging takes place.

Has anyone configured a snmp trap mechanism in order to get  a notification if capacity of connection table reaches 70% for example?

BR,

Kostas

0 Kudos
pjoseph
Explorer
‎2022-01-26 09:53 AM
In response to KostasGR
Jump to solution

Yes - we have set it to 45% to ensure we're capable of full site failover.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events