Do not understand how does Aggressive Aging work w...

akurtasanov · ‎2025-02-16

Explain to me, a fool, how the aggressive aging option should work on standard settings 🙂
By default, we have a drop when 80% of the connection limit AND 80% of the memory are reached.
But how should it work when "fw ctl pstat" shows the limit of concurrent connections as Unlimited?

Chris_Atkinson · ‎2025-02-16

Based on % memory utilization, did you already review:

sk122154 - How is Aggressive Aging enforced when Concurrent Connections Capacity Limit is calculated...?

CCSM R77/R80/ELITE

akurtasanov · ‎2025-02-16

Thanks!

Somehow didn't find this SK.

But with fw_salloc_maxmem_usage = 85 and around 90% Utilized memory I don't see any activity of Aggressive Aging.
Default Inspection profile is applied pstat says that AA enabled but not active.

And this is not the first case, so I would like to clarify before TAC.

Chris_Atkinson · ‎2025-02-16

How are you monitoring / calculating the memory consumption?

CCSM R77/R80/ELITE

akurtasanov · ‎2025-02-16

cpview + fw ctl pstat

There was one case when the memory jumped over 90% and the firewall literally committed suicide in the following way sk114529 but AA was still enabled and not active.

Chris_Atkinson · ‎2025-02-16

Do you use many custom TCP/UDP service objects, has aggressive aging been disabled for those?

Which version & JHF is used and is this regular cluster/gateway or Maestro?

CCSM R77/R80/ELITE

akurtasanov · ‎2025-02-16

Not so many. I have to check, but no more than 5-10 specific services.

Timothy_Hall · ‎2025-02-17

Use free -m to assess memory utilization. Ignore the value reported for "free" and look at the "available" number, that is what Aggressive Aging is looking at when deciding whether to activate.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization

Lesley · ‎2025-02-17

With this you also can see it right?

'Free Real Memory' in output of 'cpstat -f memory os' command
[ ('MemFree' + 'Buffers' + 'Cached') / 1024 ] from output of 'cat /proc/meminfo' command

-------
Please press "Accept as Solution" if my post solved it 🙂

Timothy_Hall · ‎2025-02-17

Yes.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization

akurtasanov · ‎2025-02-17

Righ now I have next values:

[Expert@]# free -m
total used free shared buff/cache available
Mem: 31958 27252 910 30 3794 2915
Swap: 32159 9838 22321

[Expert@]# cpstat -f memory os

Total Virtual Memory (Bytes): 67232706560
Active Virtual Memory (Bytes): 40770469888
Total Real Memory (Bytes): 33510506496
Active Real Memory (Bytes): 30454579200
Free Real Memory (Bytes): 3055927296
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -

[Expert@]# fw ctl pstat

Virtual System Capacity Summary:
Physical memory used: 26% (7069 MB out of 27164 MB) - below watermark
Kernel memory used: 3% (901 MB out of 27164 MB) - below watermark
Virtual memory used: 21% (5975 MB out of 27164 MB) - below watermark
Used: 5975 MB by FW, 1152 MB by zeco
Concurrent Connections: 19074 (Unlimited)
Aggressive Aging is enabled, not active

Available and Free real Memory are much smaller than 15-20% limit when AA should be in sleep state. But right now, AA still not active

Are you a member of CheckMates?

Do not understand how does Aggressive Aging work with default settings