F-Secure Internet Gatekeeper for Linux/Administrator’s Guide
80
Message
###ERROR### Maximum connections: warning: Client connections reached maximum
connections(maximum connections). More request will be blocked/rejected. If
there is many warnings, please increase 'Maximum Connections'
settings(pre_spawn value of fsigk.ini) of this service. (provisional value
will be good value as start line).
Description
Logged when the maximum number of client connections is reached. When the maximum number
of connections is reached, processing continues only after the number of connections is
decreased.
The backlog (backlog of Linux listen() system call) is set to 5 when the maximum number of
connections is reached. For this reason, up to 6 TCP connect requests can be “ESTABLISHED”
normally when the maximum number of connections is reached and for connect requests beyond
the limit, “SYN_RECV” is assigned as the connection status. Processing does not continue even
for TCP connections responded by Linux if the maximum number of connections is reached.
You can check the maximum number of connections by looking at the Internal process ID
(“PROXY-STAT:[Service type]:[Internal process ID]
:.."
) in the access logs. The internal process
IDs (identifier starts with 0) with smaller numbers have higher priority. Therefore, [internal process
ID]+1) applies to the simultaneous number of connections during the startup of the corresponding
access.
In addition, you can check the ESTABLISH status of the corresponding port numbers with the
netstat command:
# netstat -anp | grep :9080 | grep ESTABLISHED | wc -l
(Port 9080 is used in the example)
Solution
•
Situation
: only a small number of messages appear (for example, 1 error every hour), the
product appears to be working fine, and the number of increased connections can be
considered temporary.
Solution
: you do not need to change any settings.
•
Situation
: the scan timeout value is set to 90 seconds by default. If it is disabled (set to 0) or
changed to a bigger value, scanning can take a long time for a specific file. This may cause the
number of connections to reach the maximum.
Solution
: reset the timeout value to the default value of 90 seconds.
•
Situation
: if there is a network problem between the product and the server or client, the
number of connections may reach the maximum.
Solution
: fix the network problem.
•
Situation
: if the above cases do not apply (several errors are logged, scan timeout value is not
changed, no network problems exist) and servers cannot be accessed, the number of
connections needed may be over the maximum value set.
Solution
: increase the maximum number of connections as needed.
If the number of client connections that are needed cannot be determined, configure the
following provisional values to test the system. After testing the system, revise the settings if
needed. Usually, the maximum number of connections should be set to under 2000
connections.