Conservative Firewall Filling State Table (812000 Max)
-
Hi there,
I am running two 7100s in HA at our office using 2.4.5p1 (still a little uncomfortable upgrading my complex installations to 21.02). These guys have been in place for over a year now, and we have them on Conservative for our VoIP phones.
Today, Zabbix started reporting max state table usage on the devices. Further investigation revealed that many connected devices were taking up huge numbers of state allocation (over 10k apiece, some as high as 116k) and nothing had been changed.
The only way I found to mitigate the issue so far is to swap from Conservative to Normal, which immediately resolves it.
I have never seen this before, or an issue like it, and none of my other, similar installations are experiencing it. Any thoughts on the matter would be appreciated.
-
That's part of the nature of conservative mode -- states will pile up more. If some client behavior changes and makes the clients open more states, then they'll hang out longer.
What you could do is keep the router itself on normal mode and setup custom state timeout rules to match the VoIP traffic which sets different state timeouts just for them, and perhaps only for VoIP/RTP traffic for example. Narrow down the longer state lifetimes as much as possible.
