What is causing my proxy server to slow down?

book

Article ID: 167263

calendar_today

Updated On:

Products

PacketShaper

Issue/Introduction

The policy flow limit, designed to limit SYN flood attacks, controls the rate of flows per host. Flows exceeding the rate are blocked from passing through the unit.

The limits are set to default values of 10,000 flows per minute on client hosts and 100,000 flows per minute on servers.

On a proxy server, it is possible that the default limit for client at 10,000 flows would be exceeded since each connection is initiated by the proxy server. PacketWise sees this as a DoS attack and will limit the flows from the client.

Resolution

There are two ways to change the default flowlimit setting. (Note: This solution assumes the topology is Proxy--in--PacketShaper--out--WAN)

Option 1
Increase the number of client flows per minute. In the CLI, use this command:

policy flowlimit none|

For example, if you want to increase the client limit to 20,000:

policy flowlimit outbound/default 20000 100000

Option 2
Remove the policy flowlimit.

For example:

policy flowlimit outbound/default none

For more information on the policy flowlimit command, see PacketGuide.