Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

MAX Connections - HELP!!!

Status
Not open for further replies.

NERIC

Technical User
Apr 18, 2002
35
I am trying to configure our Checkpoint FW1 firewall (Nokia IP 400, IPSO). Right now the maximum # of connections is set to 25,000. I want to kick it up to 100,000. I tried to use the modzap util and it wouldn't work for some reason. Should I be able to edit the table.def file to achive this? If so, should I need a reboot or just to restart fw? Most of the unix commands I could find in FAQs didnt work either. I tried changing with ipsctl and the parameters are different for some reason. Any ideas?

 
in the firewall object (NG) ine the policy editor under the advanced tab there is a setting for maximum concurrent connections (Default 25000)
 
Thanks for the reply. But, I have no advanced tab on my GUI. I am using Version 4.1 of the policy editor.
 
If you look at this it explains (i have extracted the section on IPSO below)


On an IPSO system (VPN-1 Appliance or Nokia IPxxx), it is not necessary to adjust this value on FireWall-1 4.1 SP2 on IPSO 3.3 and later because this value is dynamically set based on physical memory according to the following table, which is usually more than is needed:

Physical Memory Value for Modzap
64mb 0xa00000 (10mb)
128mb 0xc00000 (12mb)
256mb 0x1000000 (16mb)
512mb 0x1b00000 (28mb)
 
Now I'm really confused. I read in many articles/FAQs that adding the parameter of "limit" to the table.def file would work. Here's the line from ours.
TCP_START_TIMEOUT
expcall KFUNC_CONN_EXPIRE kbuf 1 limit 50000 hashsize 65536

The syntax was different in what I read. I tried adding a semicolon on the end like the one I read and the policy install failed. Removed the semicolon. Install passed. Is this machine that rare that nobody has the right info? Or do I need to spend some money on training?



 
I am no expert on this i am just scanning articles
From what i read you still need to increase the number of connections but the Nokia adjusts the kernal memory dependent on main memory so you dont need to touch that (as above)


this is worth a read but it is for 4.0




And this is extracted from another article

Adjusting the connection table parameters for maximal (desired) number of concurrent connections and faster connection table lookups.

Again, good rule of thumb is to increase the connection table limit to 50000 (default 25000). With that number of connections it is also important to increase the table hash size to 65536 (default 8192) for faster lookups. Insufficient connection table size leads to connections being dropped and serious performance degradation. Adequate hashing noticeably improves performance.

In $FWDIR/lib/table.def file, 'connections' value:

connections = ... limit 50000 hashsize 65536
 
once again, I really appreciate the help. But please, no more cut and pastes from posts. That's what's giving me the most trouble. For example, the line "connections = ... limit 50000 hashsize 65536" is obviously not the full or specific syntax. ... replaces some text and the rest isn't really clear by the post. Does anyone have an actual section from their own working firewall?
 
I'm hoping that you found a solution by now. But, if not, reply to this and I'll send it to you. And, yes, this box is so rare that nobody has much info on it. It's also confused by alot of people with other versions/platforms of te Checkpoint Firewall. The Nokia is an odd bird with it's very own issues and solutions. I have been through the same headaches. I can send you a quick solution if you still need one.

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top