Reserved Connections
Normally, when the connection table limit is reached, no more connections are allowed, even ones critical for operating and managing the gateway. The reserved connections feature allows the gateway to process these critical connections, even after the connections table limit is reached. There is a user defined amount of space that is reserved in the connections table for these critical connections. If the Rule Base allows these connections, they are allowed even if no other connections can be accepted.
For example, when the connections table limit is reached, the administrator may not be able to install a new policy that increases the connections limit or open other necessary connections, such as SSH to the gateway.
Enforcing the reserved connections limit
By default, the number of reserved connections is limited to 2000. The actual limit of the connections table is increased by this amount.
Before a new connection is recorded, the system makes sure that there is sufficient space in the connections table. If connections table limit is reached, the connection is recorded if it satisfies these conditions:
- The limit is below the limit sum of connections table limit and reserved connections limit.
- Connection matches one of the rules in the reserved connections table
If not, the connection is not recorded.
In VSX, Reserved Connections are supported for VS0 only.
Syntax
# asg_reserved_conns
Please choose one of the following:
-----------------------------------
1) Print reserved connections table
2) Add new reserved connection rule
3) Delete reserved connection rule
4) Exit
>
To show the reserved connections table:
Enter: 1
Output
Idx Source Mask Destination Mask DPort Ipp Interface
--- --------------- ---- --------------- ---- ----- ----- ------------
1) 0.0.0.0 0 0.0.0.0 0 1129 6 Sync
2) 0.0.0.0 0 0.0.0.0 0 1130 6 Sync
3) 0.0.0.0 0 0.0.0.0 0 4444 6 Sync
4) 0.0.0.0 0 0.0.0.0 0 22 6 Sync
5) 0.0.0.0 0 0.0.0.0 0 8888 6 Sync
6) 0.0.0.0 0 0.0.0.0 0 2010 6 Sync
7) 0.0.0.0 0 0.0.0.0 0 1131 6 Sync
8) 0.0.0.0 0 0.0.0.0 0 1132 6 Sync
9) 0.0.0.0 0 0.0.0.0 0 256 6 Sync
10) 0.0.0.0 0 0.0.0.0 0 0 1 Sync
11) 0.0.0.0 0 0.0.0.0 0 8116 17 Sync
12) 0.0.0.0 0 0.0.0.0 0 0 1 eth1-CIN
13) 0.0.0.0 0 0.0.0.0 0 22 6 eth1-CIN
14) 0.0.0.0 0 0.0.0.0 0 23 6 eth1-CIN
15) 0.0.0.0 0 0.0.0.0 0 161 17 eth1-CIN
16) 0.0.0.0 0 0.0.0.0 0 623 17 eth1-CIN
17) 0.0.0.0 0 0.0.0.0 0 0 1 eth2-CIN
18) 0.0.0.0 0 0.0.0.0 0 22 6 eth2-CIN
19) 0.0.0.0 0 0.0.0.0 0 23 6 eth2-CIN
20) 0.0.0.0 0 0.0.0.0 0 161 17 eth2-CIN
21) 0.0.0.0 0 0.0.0.0 0 623 17 eth2-CIN
22) 0.0.0.0 0 0.0.0.0 0 22 6 Any
23) 0.0.0.0 0 0.0.0.0 0 256 6 Any
24) 0.0.0.0 0 0.0.0.0 0 18191 6 Any
25) 0.0.0.0 0 0.0.0.0 0 18192 6 Any
Press enter to continue
Field
|
Description
|
|
Rule number
|
|
Source IP
If the IP is 0.0.0.0, all IPs are allowed.
|
|
Subnet mask for the Source
|
|
Destination IP
If the IP is 0.0.0.0, all IPs are allowed.
|
|
Subnet mask for the Destination
|
|
TCP/UDP Port
This is ignored with non-TCP/UDP traffic.
|
|
IP protocol number
|
|
Interface for this rule
|
To add a reserved connection rule:
- Enter:
2 - Follow the directions on the screen.
Enter source IP [0.0.0.0]:
>10.10.10.10
Enter source IP mask length [0]:
>24
Enter destination IP [0.0.0.0]:
>20.20.20.0
Enter destination IP mask length [0]:
>24
Enter destination port [0]:
>0
Enter IP protocol number (for example: tcp = 6, udp = 17):
>6
Enter interface number [0 = Any]:
0: Any
1: eth1-Mgmt4
2: eth2-Mgmt4
3: BPEth0
4: BPEth1
5: eth1-Mgmt1
6: eth1-CIN
7: eth1-01
8: eth2-Mgmt1
9: eth2-CIN
10: eth2-01
11: Sync
>0
OK to insert new reserved conn rule: <10.10.10.10/24, 20.20.20.0/24, 0, 6, Any> ? (y/n)
>y
entry inserted, rule will apply when new connection will be opened
Press enter to continue
To make sure the feature is configured correctly:
- Make sure the value of the kernel global parameter
fwconn_reserved_conn_active is set to: 1 - Run
asg_reserved_conns and enter: 1 - Run
fw tab -t reserved_conns_table and make sure that the table contains the entries for the rules above. - Make sure the contents of
$FWDIR/bin/reserved_conns_table has rules of this feature.
To debug the feature:
- Set the kernel global parameter
fwreserved_conns_debug to: 1 - Use the
CONN kernel debug flag to see reserved connections related debugs.
To troubleshoot the feature:
- Run:
# fw tab -t reserved_conns_table
- Make sure that the table contains the entries for the rules in this feature.
- Make sure the contents of
$FWDIR/bin/reserved_conns_table has rules of this feature.
|
Important - Do not make changes to this file.
|
- Delete all current rules from the kernel and reload the rules from
$FWDIR/bin/reserved_conns_tab :# asg_reserved_conns -f
It is useful if there were changes in network interface names or if $FWDIR/bin/reserved_conns_table was edited directly.
Configuration
The feature works after installation without additional configuration.
The rules are stored in:
$FWDIR/bin/reserved_conns_table
The feature uses these kernel global variables:
Variable
|
Description
|
fwconn_reserved_conn_active
|
Enables or disables the feature
Valid values:
1 - Enabled- Any other integer: Disabled
|
fwconn_reserved_limit
|
Maximum allowed number of entries in $FWDIR/bin/reserved_conns_table
Default: 2000
|
|