Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] db2 errors / too many concurrent connections? (4.1. sp5, ipso 3.4.1)

To: [email protected]
Subject: Re: [FW-1] db2 errors / too many concurrent connections? (4.1. sp5, ipso 3.4.1)
From: Don <[email protected]>
Date: Tue, 14 May 2002 11:23:03 -0400
In-reply-to: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

> Here's a problem that has been steadily growing worse for several months:
>
>                           {Internet}
>                                 |
> [webserver 1]  --         |
> [webserver 2]   ------| DMZ |
> [webserver 3]  --         |
> (2 nics>                    |
>  1 ext, 1 to dmz)        |
>      |
>                   {Internal Network}
>                             |
>       Mainframe           Unix Box
>      (db2 connect)      (for images)
> Connectivity between our DMZ and the internal interface periodical
> drops, approximately once a week. The only way to restore connectively
> is to re-publish the rules and reboot the offending web server. We don't
> believe the problem is with the web servers, we've added another & the
> problems remains the same. Is this an issue with the table.def file
> filling up? Correct me if I am wrong, but can checkpoint FW1 (4.1 sp5)
> handle more that 25,000 concurrent connections?
CheckPoint can handle more than 25,000 connections, but only if you tell
it to. Also, make sure the box has enough memory, and that enough
has been allocated to CheckPoint.

> I'm guessing the connections table (table.def) fills up and the only to
> purge the connection is to flush the table. We currently have a ticket
> open with Nokia, they are building a script that will clear the table.
> Is going down the right path? Another option is to segment this troubled
> portion of our network with another F/W but that will require a
> significant amount of work.
I have a 3.4.2 box running FP1 that was having the exact same problem. In
my case, fwssd was core dumping and NAT was failing. In my case this was
the result of letting CheckPoint handle ARP.

You may want to do a "find / -name \*core" and see if there are any
firewall processes which have dumped. If you want to, you can run gdb and
type "core-file <filename>" to load the core file and see why the process
died.

-Don

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] db2 errors / too many concurrent connections? (4.1. sp5, ipso 3.4.1)
  - From: Security Guy <[email protected]>

Prev by Date: Re: [FW-1] limits on Checkpoint
Next by Date: [FW-1] Checkpoint NG macine sizeing
Previous by thread: [FW-1] db2 errors / too many concurrent connections? (4.1. sp5, ipso 3.4.1)
Next by thread: [FW-1] Checkpoint NG macine sizeing
Index(es):
- Date
- Thread