Thread: Firewall Locks up during DNS service restart
View Single Post
  #2 (permalink)  
Old 2007-01-16
melipla melipla is offline
Senior Member
  
Join Date: 2006-01-25
Posts: 1,004
Rep Power: 4
melipla has an average reputation (10+)
Default Re: Firewall Locks up during DNS service restart
Hi,

Looking over some of the SK's about SLINK and I see there's a difference between "connections" and "symobolic links" [aka SLINK] to connections, ripped from Solution ID: #skI4140:
--
The connections table in VPN-1/FireWall-1 NG includes two types of entries:

1. A real connection entry used to store connection related information.
2. Connection symbolic link used to point to a real entry.
The reason for having two types of connection table entries is to help the FireWall-1 kernel locate a specific entry in the table with a single lookup.
---

To see the number of slink connections you have (taken from #skI4134):
---
Symbolic links are not included (counted) as entries in the Connections table. A size limit of 25,000 for the Connections table means that the table can hold 25000 "real" connections, plus up to 8 symbolic links per connection.

To view the number of symbolic links entries run:
fw tab -s

The SLINK field contains the number of symbolic links for each table
---

Having said that there's some instructions for increasing that number in #skI3300, or there's another solution, #sk21384:
---
Error: "h_slink: table is full"
Solution ID: #sk21384

Product: VPN-1 Pro (VPN-1/FW-1)
Version: NG
Last Modified: 13-May-2005
Symptoms

* connections table SLINKS is at 200000
* FireWall starts dropping new connections
* UDP out of state messages

Cause
For each real connection table entry 8 symbolic links (SLINKS) will be added, the error message will appear when new entries are tried to be added but the SLINK entries for the table are full.
Solution
Procedure:

1. Check all UDP services to see if within the Advanced UDP Service Properties to see if "Accept replies from any port" is selected. The only UDP service by default that this option is selected for is tftp, deselect this option for all other UDP services.

2. From within Global Properties, Stateful Inspection, Stateful UDP section, deselect the option "Accept stateful UDP replies from any port for unknown servies" and reinstall the Security Policy.
Applies To:

* FP3
* OS messages file
* Majority of traffic is DNS
---

The only question I have is, you must be getting a lot of DNS requests. Maybe you should load balance a little bit?
__________________
Its all in the documentation.
Reply With Quote