Skip to main content

Illumio Core 22.2 Administration Guide

Tuning the IPFilter State Table (AIX/Solaris)

Note

Illumio recommends that you upgrade the AIX ip-filter to the latest available version.

In versions 11.3 and earlier, you can tune the IPFilter state table for AIX and Solaris workloads. Solaris versions before 11.4, you must tune the IPFilter state table. In version 11.4 and after, you must tune the packet filter.

About State Table Tuning

In most environments, the state table default values are sufficient to handle the number of network connections encountered by Solaris and AIX workloads. However, if your system has a very large number of network connections, you might need to tune the state table. You can do so either before or after VEN activation. Tuning the state table values persists through rebooting, restarting, and suspending the VEN.

By default, Solaris and AIX VENs are installed with the following state table values:

  • fr_statemax: 1,000,000

  • fr_statesize: 250,007

  • fr_state_maxbucket: 256

  • fr_tcpclosed: 120

Set a Custom IPFilter State Table Size

  1. Create the following file on your Solaris or AIX workload as root or the Illumio VEN user, ilo-ven.

    Note

    The following file that must be created by the root user or the Illumio VEN user ilo-ven: /etc/default/illumio-agent.

    This file cannot be world-readable or -writeable.

  2. Add the following settings and values to the file. Do not include spaces in the settings or values.

    VEN File Setting

    ipfilter Setting

    Description

    IPFILTER_STATE_MAX=<value>

    fr_statemax

    Maximum number of network connections stored in the state table. You must also set IPFILTER_STATE_SIZE.

    IPFILTER_STATE_SIZE=<value>

    fr_statesize

    Size of the hash table.

    Must be a prime number. You must also set IPFILTER_STATE_MAX.

    Recommended: Set the hash table size to 1/4 of the number in fr_statemax. This setting allows each hash bucket to contain about 4 states.

    IPFILTER_STATE_MAXBUCKET=<value>

    fr_state_maxbucket

    Number of allowed hash collisions before the VEN starts dropping network connections

    Recommended: Increase this value beyond the default value to avoid dropping network connections.

    IPFILTER_TCPCLOSED=<value>

    fr_tcpclosed

    Option introduced and supported for Illumio Core 21.2.1 VEN and later.

    To support NFS traffic so that the workload does not drop this traffic even when a rule exists in the PCE allowing the traffic. This issue occurs due to TCP port number reuse.

    Note

    If you set IPFILTER_STATE_MAX, you must also set IPFILTER_STATE_SIZE. If you add only one of these settings in the illumio-agent file, the VEN ignores the value and uses default values for both settings.

  3. This step depends on whether the VEN has been activated.

    • If the VEN has not yet been activated, skip this step.

    • If the VEN has been activated, restart the VEN by entering the following command:

      /opt/illumio_ven/illumio-ven-ctl restart

  4. Enter the following command to confirm the new values are configured for the state table:

    /usr/sbin/ipf -T fr_statemax,fr_statesize,fr_state_maxbucket

    The command output displays the values from the state table. In this example, the settings are still at the default values:

    fr_statemax min 0x1 max 0x7fffffff current 1000000
fr_statesize min 0x1 max 0x7fffffff current 250007
fr_state_maxbucket min 0x1 max 0x7fffffff current 256