Re: [H/W] Cisco pfSense Replacement?

Author	All Replies
sporkme drop the crantini and move it, sister Premium,MVM join:2000-07-01 Budd Lake, NJ	reply to MattE Re: [H/W] Cisco pfSense Replacement? While you're waiting on the replacement, bump up the state table and make sure you're running the latest 1.2 release. (System->Advanced-Firewall Maximum States) How many state entries are you peaking at now?
	to forum · permalink · · 2008-05-15 11:22:56 ·
MattE Obama '08 Premium join:2003-07-20 Jamestown, NC ·North State Commun.. ·Corporate Colocation	said by sporkme : While you're waiting on the replacement, bump up the state table and make sure you're running the latest 1.2 release. (System->Advanced-Firewall Maximum States) How many state entries are you peaking at now? Nowhere near the 10000 limit. I've never seen it higher than 800 states, with 2-4% CPU usage and like 4% memory. And yep, this is the latest 1.2 release. It was just installed 2 months ago or so.
	to forum · permalink · · 2008-05-15 11:35:08 ·
sporkme drop the crantini and move it, sister Premium,MVM join:2000-07-01 Budd Lake, NJ	said by MattE : Nowhere near the 10000 limit. I've never seen it higher than 800 states, with 2-4% CPU usage and like 4% memory. Something is amiss then if every client login causes 300 outbound connections and you don't peak over 800 states. Just a handful of logins should bring you near the 10K default max - the state entries linger a bit. It certainly wouldn't hurt to bump that up to 50K or so to see what happens while you wait on the new hardware.
	to forum · permalink · · 2008-05-20 13:57:00 ·
MattE Obama '08 Premium join:2003-07-20 Jamestown, NC ·North State Commun.. ·Corporate Colocation	said by sporkme : said by MattE : Nowhere near the 10000 limit. I've never seen it higher than 800 states, with 2-4% CPU usage and like 4% memory. Something is amiss then if every client login causes 300 outbound connections and you don't peak over 800 states. Just a handful of logins should bring you near the 10K default max - the state entries linger a bit. It certainly wouldn't hurt to bump that up to 50K or so to see what happens while you wait on the new hardware. It actually happened again today. I'm talking with our developer now and it appears there is "retry logic" in the code that retries in a 5 batch loop, INDEFINITELY, if there is any sort of error. I think that is triggering the outbound issue. I was on the FW when it happened today and the states were hovering around 450, then the firewall log went crazy blocking connections outbound to the same individual destination IP from 2 of our servers.
	to forum · permalink · · 2008-05-20 14:15:36 ·


Tuesday, 14-Oct 10:58:14	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9 years online! © 1999-2008 dslreports.com. page compression OFF