This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Huge different between concurrent connections in dashboard and ssh shell

Hi all!

I am using Sophos UTM Home edition v9.408 (which is free) with just about 10 users. The concurrent connections reach the limit 32k immediately after that. Checking in ssh shell with "netstat -na | wc -l" shows only 1k4.

Please show me which one is right and if it is actually 32k, how can I drop it.

Any idea would be appreciated!

This thread was automatically locked due to age.

Parents

0 BAlfson over 7 years ago

Hi, Truong, and welcome to the UTM Community!

I wonder if this isn't just a broken PostgreSQL data base. The following command will delete the data in Reporting and graphs, but will not affect your log files:

/etc/init.d/postgresql92 rebuild

Did that fix the problem? If not, does this mis-measurement have any effect on your use of the UTM?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Truong Nguyen over 7 years ago in reply to BAlfson

Hi Bob,

Thanks very very much for your answer and your contribution to our community. I admire that.

As I replied, this is right when compared with nf_contrack. I fixed this by decreasing all timeout parameters by half:

echo 5 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close
echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait
echo 86400 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait
echo 15 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack
echo 150 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans
echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv
echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent
echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent2
echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait

Thanks again, Bob!
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Truong Nguyen over 7 years ago in reply to BAlfson

Hi Bob,

Thanks very very much for your answer and your contribution to our community. I admire that.

As I replied, this is right when compared with nf_contrack. I fixed this by decreasing all timeout parameters by half:

echo 5 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close
echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait
echo 86400 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait
echo 15 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack
echo 150 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans
echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv
echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent
echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent2
echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait

Thanks again, Bob!
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BAlfson over 7 years ago in reply to Truong Nguyen

Truong, I don't believe that these changes will survive a reboot. You might want to use the following commands suggested by da_merlin to make persistent changes to packetfilter timeouts.

The first one will show you what's in the configuration database that you manipulate with WebAdmin. The second is an example of making changes to the configuration database.

cc get packetfilter timeouts

cc set packetfilter timeouts ip_conntrack_tcp_timeout_close 5

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel