Reserved Connections

Normally, when the connection table limit is reached, no more connections are allowed, even ones critical for operating and managing the gateway. The reserved connections feature allows the gateway to process these critical connections, even after the connections table limit is reached. There is a user defined amount of space that is reserved in the connections table for these critical connections. If the Rule Base allows these connections, they are allowed even if no other connections can be accepted.

For example, when the connections table limit is reached, the administrator may not be able to install a new policy that increases the connections limit or open other necessary connections, such as SSH to the gateway.

Enforcing the reserved connections limit

By default, the number of reserved connections is limited to 2000. The actual limit of the connections table is increased by this amount.

Before a new connection is recorded, the system makes sure that there is sufficient space in the connections table. If connections table limit is reached, the connection is recorded if it satisfies these conditions:

• The limit is below the limit sum of connections table limit and reserved connections limit.
• Connection matches one of the rules in the reserved connections table

If not, the connection is not recorded.

In VSX, Reserved Connections are supported for VS0 only.

Syntax

# asg_reserved_conns

Please choose one of the following:

-----------------------------------

1) Print reserved connections table

2) Add new reserved connection rule

3) Delete reserved connection rule

4) Exit

>

To show the reserved connections table:

Enter: 1

Output

Idx  Source           Mask  Destination      Mask  DPort  Ipp    Interface

---  ---------------  ----  ---------------  ----  -----  -----  ------------

 1)          0.0.0.0     0          0.0.0.0     0   1129      6         Sync

 2)          0.0.0.0     0          0.0.0.0     0   1130      6         Sync

 3)          0.0.0.0     0          0.0.0.0     0   4444      6         Sync

 4)          0.0.0.0     0          0.0.0.0     0     22      6         Sync

 5)          0.0.0.0     0          0.0.0.0     0   8888      6         Sync

 6)          0.0.0.0     0          0.0.0.0     0   2010      6         Sync

 7)          0.0.0.0     0          0.0.0.0     0   1131      6         Sync

 8)          0.0.0.0     0          0.0.0.0     0   1132      6         Sync

 9)          0.0.0.0     0          0.0.0.0     0    256      6         Sync

10)          0.0.0.0     0          0.0.0.0     0      0      1         Sync

11)          0.0.0.0     0          0.0.0.0     0   8116     17         Sync

12)          0.0.0.0     0          0.0.0.0     0      0      1     eth1-CIN

13)          0.0.0.0     0          0.0.0.0     0     22      6     eth1-CIN

14)          0.0.0.0     0          0.0.0.0     0     23      6     eth1-CIN

15)          0.0.0.0     0          0.0.0.0     0    161     17     eth1-CIN

16)          0.0.0.0     0          0.0.0.0     0    623     17     eth1-CIN

17)          0.0.0.0     0          0.0.0.0     0      0      1     eth2-CIN

18)          0.0.0.0     0          0.0.0.0     0     22      6     eth2-CIN

19)          0.0.0.0     0          0.0.0.0     0     23      6     eth2-CIN

20)          0.0.0.0     0          0.0.0.0     0    161     17     eth2-CIN

21)          0.0.0.0     0          0.0.0.0     0    623     17     eth2-CIN

22)          0.0.0.0     0          0.0.0.0     0     22      6          Any

23)          0.0.0.0     0          0.0.0.0     0    256      6          Any

24)          0.0.0.0     0          0.0.0.0     0  18191      6          Any

25)          0.0.0.0     0          0.0.0.0     0  18192      6          Any

Press enter to continue

To add a reserved connection rule:

1. Enter: 2
2. Follow the directions on the screen.

Enter source IP [0.0.0.0]:

>10.10.10.10

Enter source IP mask length [0]:

>24

Enter destination IP [0.0.0.0]:

>20.20.20.0

Enter destination IP mask length [0]:

>24

Enter destination port [0]:

>0

Enter IP protocol number (for example: tcp = 6, udp = 17):

>6

Enter interface number [0 = Any]:

0: Any

1: eth1-Mgmt4

2: eth2-Mgmt4

3: BPEth0

4: BPEth1

5: eth1-Mgmt1

6: eth1-CIN

7: eth1-01

8: eth2-Mgmt1

9: eth2-CIN

10: eth2-01

11: Sync

>0

OK to insert new reserved conn rule: <10.10.10.10/24, 20.20.20.0/24, 0, 6, Any> ? (y/n)

>y

entry inserted, rule will apply when new connection will be opened

Press enter to continue

To make sure the feature is configured correctly:

1. Make sure the value of the kernel global parameter fwconn_reserved_conn_active is set to: 1
2. Run asg_reserved_conns and enter: 1
3. Run fw tab -t reserved_conns_table and make sure that the table contains the entries for the rules above.
4. Make sure the contents of $FWDIR/bin/reserved_conns_table has rules of this feature.

To debug the feature:

1. Set the kernel global parameter fwreserved_conns_debug to: 1
2. Use the CONN kernel debug flag to see reserved connections related debugs.

To troubleshoot the feature:

1. Run:

   # fw tab -t reserved_conns_table

2. Make sure that the table contains the entries for the rules in this feature.
3. Make sure the contents of $FWDIR/bin/reserved_conns_table has rules of this feature.

   Important - Do not make changes to this file.

4. Delete all current rules from the kernel and reload the rules from $FWDIR/bin/reserved_conns_tab:

   # asg_reserved_conns -f

   It is useful if there were changes in network interface names or if $FWDIR/bin/reserved_conns_table was edited directly.

Configuration

The feature works after installation without additional configuration.

The rules are stored in:

$FWDIR/bin/reserved_conns_table

The feature uses these kernel global variables: