Fortinet black logo

Handbook

SSL VPN conserve mode

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:705032
Download PDF

SSL VPN conserve mode

FortiGate units perform all security profile processing in physical RAM. Since each model has a limited amount of memory, Kernel conserve mode is activated when the remaining free memory is nearly exhausted or the AV proxy has reached the maximum number of sessions it can service.

SSL VPN also has its own conserve mode. The FortiGate enters the SSL VPN conserve mode before the Kernel conserve mode in an attempt to prevent the Kernel conserve mode from triggering. During the SSL VPN conserve mode, no new SSL connections are allowed. It starts when free memory is < 25% of the total memory (when the memory on the FortiGate is less than 512 Mb) or < 10% of the total memory (when the FortiGate has more than 512 Mb built in).

To determine if the FortiGate has entered SSL VPN conserve mode - CLI

Run the following command in the CLI Console:

diagnose vpn ssl statistics

Result (showing conserve mode state in bold):

SSLVPN statistics:

-------------------------

Memory unit:

1

System total memory:

2118737920

System free memory:

218537984

SSLVPN memory margin:

314572800

SSLVPN state:

conserve

Max number of users:

2

Max number of tunnels:

0

Max number of connections:

13

Current number of users:

1

Current number of tunnels:

0

Current number of connections:

1

SSL VPN conserve mode

FortiGate units perform all security profile processing in physical RAM. Since each model has a limited amount of memory, Kernel conserve mode is activated when the remaining free memory is nearly exhausted or the AV proxy has reached the maximum number of sessions it can service.

SSL VPN also has its own conserve mode. The FortiGate enters the SSL VPN conserve mode before the Kernel conserve mode in an attempt to prevent the Kernel conserve mode from triggering. During the SSL VPN conserve mode, no new SSL connections are allowed. It starts when free memory is < 25% of the total memory (when the memory on the FortiGate is less than 512 Mb) or < 10% of the total memory (when the FortiGate has more than 512 Mb built in).

To determine if the FortiGate has entered SSL VPN conserve mode - CLI

Run the following command in the CLI Console:

diagnose vpn ssl statistics

Result (showing conserve mode state in bold):

SSLVPN statistics:

-------------------------

Memory unit:

1

System total memory:

2118737920

System free memory:

218537984

SSLVPN memory margin:

314572800

SSLVPN state:

conserve

Max number of users:

2

Max number of tunnels:

0

Max number of connections:

13

Current number of users:

1

Current number of tunnels:

0

Current number of connections:

1