Concurrent connection (CC) limitation without loading RAM


I have NGFW with IPFire installed. I am measuring the number of CC (Concurrent Connections). For some reason, the CC value is quite small, while the RAM remains unloaded.

Before testing our NGFW, I tested two devices (#1, #2) (Device under test / DUT) from a large vendor, on which their own OS is preinstalled. For the test, the Cisco TRex package was used. During testing, it was noted that concurrent connections load RAM. In the case of DUTs #1 and #2, it was possible to determine by the RAM load when they are overloaded. The obtained values had a slight deviation from the datasheets. In parallel with this, I was testing the number of new connections, the data obtained also slightly differed from the datasheets.

Testing DUT #3 with IPFire installed. Testing of new connections was similar to other devices, and comparable values were obtained. The problem occurred while testing CC. The DUT has a limitation of 260,000 concurrent connections, while RAM was loaded by only 4-5%. This value turned out to be several times less than that of DUTs #1 and #2. However, I repeat, those devices had RAM loading, while DUT #3 did not.

The question arose - is there somewhere a software limitation on the use of RAM? Or what could be the problem here? Thanks in advance for your answers.

DUT №3 parameters:
Processor: 4-core ARM Cortex 1.6 GHz
IPFire Version 2.23
Since the graph display functionality appeared only in 2.25 / Update 150, we had to manually install it into our 2.23 distribution kit.
During testing, I sent HTTP packets, without any enabled firewall functions, IDS / IPS


welcome to the IPFire community. :slight_smile:

Skimming through your detailed question, I stumbled across these lines:

Does this mean you are testing Core Update 150 (which is outdated)? If so, please run the test again using the latest Core Update, available here.

Thanks, and best regards,
Peter Müller


IPFire is a statefull firewall that uses connection tracking.
The conntrack table has 262144 entries on systems with more than 4GB Ram. (Linux kernel default)

ty to increase net.nf_conntrack_max

sysctl -w net.nf_conntrack_max=524288


The limitation was in it. Many thanks for your help!

1 Like