Freeing up more memory in the Firewall

Last modified on 18 Feb, 2021. Revision 6
Freeing up more memory in the Firewall due to the available memory is starting to be low (below 100 MB).
Up to date for
13.00.08
Supported since
10.00.00
Status OK

Problem:

There are several situations that can occur when the Firewall is running low on available memory.

Note: What defines as low can also vary a bit depending on which functions/features that are used in the Firewall, but overall having at least 100 MB of free RAM is recommended.

Solution:

There are several areas that can be adjusted to free up more memory, but the two biggest memory pre-allocations are done by Connections and IPsec tunnels. Connections and IPsec tunnels also interact with each other, meaning that memory allocations for IPsec tunnels would be higher the more connections you have in configured (default is based on the license unless adjusted, see below).

Adjusting connections and IPsec tunnel max values

Lets say our license supports 512 000 connections and 500 IPsec tunnels. We conclude that we would never need more than 128 000 connections and 100 IPsec tunnels. By default cOS Core looks at the license and allocates memory based on that, these settings can be overridden and a manual value can be typed in.

By adjusting the above settings (based on preference) we free up more available memory and we can then activate and use some of the more memory consuming features without having to add more memory to the unit (if a Virtual Firewall). Or if a memory leak or other problem is encountered that is related to memory, by freeing up more memory we lessen the time (and chance) that the problem triggers. For instance in case of a memory leak the need to reboot the Firewall once a week would instead be e.g. once a month.

Important note 1: Making changes to Max Connections or IPsec Max Tunnels requires a system restart to take effect. The reason for this is because memory allocations for these functions/features are performed at system boot.

Important note 2: Making changes to Max Connections will cause all currently opened connections to be torn down. This would cause disruptions in the network, it is recommended that this change be done out of office hours or during a planned maintenance window.

Related articles

Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
IPsec license usage calculation
14 Apr, 2021 core license ipsec
Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access