[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] RE: FireWall-1, 40000 connections, and a hammered processor ...
I have encountered this problem, and have been able to fix it. I had a very high-volume web site, with more than a million hits per hour. The firewall reached the limit of 25K connections and chocked after 20 minutes uptime. I have increased the "maximum allowed connections" limit to 50K and it chocked after an hour. Let's see.... When TCP connection is made to your server through the firewall, the connection is inserted into firewall's state table. When does the firewall delete the connection from the table? 1. When RST packet is sent in either direction. 2. When the connection ends (FIN packet). 3. When you reload the security policy - the connection table is cleared. 4. When the timeout is reached. By default, the timeout for idle TCP connections is one hour. That means, that if the connection is not terminated by one of the endpoints, client or server, the connection just sits there in the state table, becoming a "zombie" connection, for an hour. My customer had a bug in his http-based application, something didn't close the session, I don't remember if it was the client or the server. Everyone would agree, that no connection should last an hour. Remember, we're talking about IDLE connections, I can hardly think of a situation when you have fifty thousand active downloads simultaneously. Moreover, http protocol usually closes the session after you get your page, unless you have keep-alives enabled on the server. The only scenario I can think of when you have an idle session for more than an hour is telnet, when you leave your terminal open and go for lunch. You have an option in FireWall-1 to define different timeouts for different protocols. Check this: http://www.phoneboy.com/fw1/faq/0203.html What I did was pretty simple: I defined the timeout for HTTP to be 40 seconds, and I left the default 3600 for all the rest. Since then the FireWall stayed at less than 8000 connections, no connections were lost, the customer saved a lots of money on load-balancing solution, and they lived happily ever after. HTH, Cheers, Michael. -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Friday, December 01, 2000 11:00 PM To: [email protected] Cc: [email protected] Subject: RE: [FW1] FireWall-1, 40000 connections, and a hammered processor ... Hey Frank, It's a pretty plain install really. We're already looking at a solution involving Alteon switches to split up the load between two servers, but we haven't even received eval units yet to be able to check them out and see if they do what we want them too. FireWall-1 4.0 No NAT or VPN Connection limit size changed as well as the hashtable size per FAQ Thanks, Abe Abe L. Getchell - Security Engineer Division of System Support Services Kentucky Department of Education VoiceE-mail [email protected] Web http://www.kde.state.ky.us/ > -----Original Message----- > From: Frank Darden [mailto:[email protected]] > Sent: Friday, December 01, 2000 2:24 PM > To: '[email protected]'; > [email protected] > Subject: RE: [FW1] FireWall-1, 40000 connections, and a hammered > processor ... > > > You bet I have. However, I will need a bit more info on your > configuration.What > FW version, Are you using NAT? Where? When you say that you > increased the > connection table, did you also increase the hash size as > well? What exactly > did you change? If you could provide the info above, I may be > able to help. > 40k connections through a single firewall is quite a lot. Not > that its not > possible, but you might want to start making some plans to > split up or load > balance your traffic. > > Frank > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Friday, December 01, 2000 12:18 PM > To: [email protected] > Subject: [FW1] FireWall-1, 40000 connections, and a hammered > processor... > > > > Hey all, > We are currently experiencing a problem where our > firewall reaches > about 40,000 concurrent connections (we increased the limit), > starts slowing > down dramatically, and fwd starts eating CPU cycles. Has > anyone seen this > before? > > Thanks, > Abe > > Abe L. Getchell - Security Engineer > Division of System Support Services > Kentucky Department of Education > Voice> E-mail [email protected] > Web http://www.kde.state.ky.us/ > > > > ============================================================== > ============== > ==== > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================== > ============== > ==== > ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|