Blocking New Connections Under Load

Important - This section applies only to ClusterXLClosed Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. Load SharingClosed A redundant cluster mode, where all Cluster Members process all incoming traffic in parallel. For more information, see "Load Sharing Multicast Mode" and "Load Sharing Unicast Mode". Synonyms: Active/Active, Load Balancing mode. Acronym: LS. modes.

The reason for blocking new connections is that new connections are the main source of new Delta Synchronization traffic. Delta Synchronization may be at risk, if new traffic continues to be processed at high rate.

A related error message in clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. logs and in the /var/log/messages file is:

State synchronization is in risk

Reducing the amount of traffic passing through the Cluster MemberClosed Security Gateway that is part of a cluster. protects the Delta Synchronization mechanism. See sk43896: Blocking New Connections Under Load in ClusterXL.

These kernel parameters let you control how Cluster Member behave:

Kernel Parameter

Description

fw_sync_block_new_conns

Controls how Cluster Member detect heavy loads and whether they start blocking new connections.

Load is considered heavy when the synchronization transmit queue of the Cluster Member starts to fill beyond the value of the kernel parameter "fw_sync_buffer_threshold".

  • To enable blocking new connections under load, set the value of the "fw_sync_block_new_conns" to 0.

  • To disable blocking new connections under load, set the value of the "fw_sync_block_new_conns" to -1 (must use the hex value 0xFFFFFFFF). This is the default.

Note - Blocking new connections when sync is busy is only recommended for ClusterXL Load Sharing deployments. While it is possible to block new connections in ClusterXL High AvailabilityClosed A redundant cluster mode, where only one Cluster Member (Active member) processes all the traffic, while other Cluster Members (Standby members) are ready to be promoted to Active state if the current Active member fails. In the High Availability mode, the Cluster Virtual IP address (that represents the cluster on that network) is associated: (1) With physical MAC Address of Active member (2) With virtual MAC Address. Synonym: Active/Standby. Acronym: HA. mode, doing so does not solve inconsistencies in sync, because the High Availability mode prevents that from happening.

fw_sync_buffer_threshold

Configures the maximum percentage of the buffer that may be filled before new connections are blocked (see the parameter "fw_sync_block_new_conns" above).

The default percentage value is 80, with a buffer size of 512.

By default, if more than 410 consecutive packets are sent without getting an ACK on any one of them, new connections are dropped.

fw_sync_allowed_protocols

Determines the type of connections that can be opened while the system is in a blocking state.

Thus, the user can have better control over the system behavior in cases of unusual load.

The value of this kernel parameter is a combination of flags, each specifying a different type of connection. The required value is the result of adding the separate values of these flags.

Summary table:

Flag

Value

ICMP_CONN_ALLOWED

1

TCP_CONN_ALLOWED

2 (except for data connections)

UDP_CONN_ALLOWED

4 (except for data connections)

TCP_DATA_CONN_ALLOWED

8 (the control connection should be established or allowed)

UDP_DATA_CONN_ALLOWED

16 (the control connection should be established or allowed)

The default value is 24, which is the sum of "TCP_DATA_CONN_ALLOWED" (value 8) and UDP_DATA_CONN_ALLOWED (value 16). This means that the default allows only TCP and UDP data connections to be opened under load.