Solved: Re: What is "Drop-reason of FW = Capacity"?

SteveM · ‎2025-01-03

Hi all, we're replacing EOL 15000 series FWs with 6000 series. The configurations are largely identical (using ClusterXL in active/standby) and the replacement FWs are sized correctly. We've had several failed migration attempts to the new Firewalls - all acceptance tests complete succesfully, yet when production traffic starts to return to normal levels following end of the outage window, poor performance is observed.

According to CPVIEW, there are a high number of drops due to "Capacity" - yet nowhere can I find what this relates to. It can't be CPU or interface, since these are nowhere near maximum. Does anyone know what can cause drops due to "capacity"? This counter can be seen to incremement at a high rate and having ruled everything else out, it would appear this is the cause of the perceived performance issues.

Timothy_Hall · ‎2025-01-03

Probably memory, look at the first few output lines of fw ctl pstat for capacity statistics. Make sure that connection table size is set to "automatically" on your gateway/cluster object, and not still set to a manual limit which was the only option in the SecurePlatform/IPSO days (and still required for VSX).

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

View solution in original post

AkosBakos · ‎2025-01-03

Hi @SteveM

Where do you see this in CPVIEW? Can you attach a screenshot? Just blur the sensitive info.

Akos

----------------
\m/_(>_<)_\m/

SteveM · ‎2025-01-03

Timothy_Hall · ‎2025-01-03

Probably memory, look at the first few output lines of fw ctl pstat for capacity statistics. Make sure that connection table size is set to "automatically" on your gateway/cluster object, and not still set to a manual limit which was the only option in the SecurePlatform/IPSO days (and still required for VSX).

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

SteveM · ‎2025-01-03

Memory doesn't exceed 32%, but the concurrent connection table is set to 25000 limit on the new Cluster object - but automatic on the old FWs. It looks like this could be the cause - according to CPVIEW, the concurrent connections never exceeds 24,720. Thank you!!

the_rock · ‎2025-01-03

That could be your issue, just change it to automatic, as thats best setting, since it lets firewall auto calculate the usage. Install policy, test.

Andy

the_rock · ‎2025-01-03

I would also check bottom setting.

Enable or disable firewall drop optimization to improve gateway resource consumption during periods of heavy traffic load. Let SecureXL handle traffic that the firewall policy determines should be dropped.

Not enabling this option means that only Allowed connections are off loaded to SecureXL, leaving the gateway to handle connections that should be dropped or rejected.

Andy

AkosBakos · ‎2025-01-03

Hi @Steve_Pearson

And of course we need some info more:

what is the version (version + take)
Do you see any interesting in /var/log/messages
dynamic balancing is enabled?
in you do a manual failover, the problem arise on site B too?
what kind of traffic affected?

Akos

----------------
\m/_(>_<)_\m/

Are you a member of CheckMates?

What is "Drop-reason of FW = Capacity"?