View active connections via CLI on R62

[mark.edwards]

Is there a way to view the active connections on R62 that won't utilize 100% of the CPU as SmartView Tracker does, maybe via the CLI?
Trying to troubleshoot a high number of concurrent connections that might be related to a high number of 'out of state' packets that I see on SmartView Tracker.
Have increased the connection limit to 40 000 but it has not made a difference. SmartView Monitor consistently showing 39 900 connections.

[melipla]

Display connections:
fw tab -t connections
Display connections summary:
fw tab -t connections -s

I would probably suggest a different approach:

fw monitor -e "accept;" -o connections.cap

And then use Wireshark to examine the connections.cap. If your current connections is @ 39,900 that means you've hit the limit of your connection pool. As 40,000 connections isn't that many, I would suggest increasing to 80,000. Decent sized hardware should be able to keep up...unless you hit that Active tab on Smartview Tracker, then all bets are off.

[anibal99]

i have the same problem, i usually have about 7000-8000 cxs, but sudenly the number of cxs increase until 30000, i want to know what cxs are doing this increasing.

if i type:

#fw tab -t connections -u

i do not understand the out:

<00000001, 0a020152, 0000e437, c34dbcb2, 00000050, 00000006> -> <00000000, 0a020152, 0000e437, c34dbcb2, 00000050, 00000006> (00000002)
<00000000, ac140c27, 000008ab, 0a020156, 00000548, 00000006; 0001e001, 00046100, 0000001d, 000001c5, 00000000, 4a113b71, 00000028, ....

how i can see the connections table but i want see the source ip and the destination ip?

if i type:

#fw tab -t connections -s:

HOST NAME ID #VALS #PEAK #SLINKS
localhost connections 8158 7391 32333 26443

what is the meaning of: ID, VALS, PEAK and SLINKS?

thanks.

[Thorpuse]

SmartView Monitor is the way to go here, some good use of filtering should help here. Don't use Tracker and the Active Tab....

[northlandboy]

Quote:

Originally Posted by anibal99

if i type:

#fw tab -t connections -u

i do not understand the out:

<00000001, 0a020152, 0000e437, c34dbcb2, 00000050, 00000006> -> <00000000, 0a020152, 0000e437, c34dbcb2, 00000050, 00000006> (00000002)
<00000000, ac140c27, 000008ab, 0a020156, 00000548, 00000006; 0001e001, 00046100, 0000001d, 000001c5, 00000000, 4a113b71, 00000028, ....

how i can see the connections table but i want see the source ip and the destination ip?

Add the -f flag to format the output. Those addresses in there are in hex, which you can convert yourself. I once wrote a script to do all the conversions for me, before realising I could just add -f, and it would format the table nicely for me.

Quote:

Originally Posted by anibal99

if i type:

#fw tab -t connections -s:

HOST NAME ID #VALS #PEAK #SLINKS
localhost connections 8158 7391 32333 26443

what is the meaning of: ID, VALS, PEAK and SLINKS?

thanks.

VALS is the current number of concurrent connections
PEAK is the highest number recorded since the Check Point processes were last restarted.