SSL VPN conserve mode
FortiGate units perform all security profile processing in physical RAM. Since each model has a limited amount of memory, Kernel conserve mode is activated when the remaining free memory is nearly exhausted or the AV proxy has reached the maximum number of sessions it can service.
SSL VPN also has its own conserve mode. The FortiGate enters the SSL VPN conserve mode before the Kernel conserve mode in an attempt to prevent the Kernel conserve mode from triggering. During the SSL VPN conserve mode, no new SSL connections are allowed. It starts when free memory is < 25% of the total memory (when the memory on the FortiGate is less than 512 Mb) or < 10% of the total memory (when the FortiGate has more than 512 Mb built in).
To determine if the FortiGate has entered SSL VPN conserve mode - CLI
Run the following command in the CLI Console:
diagnose vpn ssl statistics
Result (showing conserve mode state in bold):
SSLVPN statistics: |
|
------------------------- |
|
Memory unit: |
1 |
System total memory: |
2118737920 |
System free memory: |
218537984 |
SSLVPN memory margin: |
314572800 |
SSLVPN state: |
conserve |
|
|
Max number of users: |
2 |
Max number of tunnels: |
0 |
Max number of connections: |
13 |
|
|
Current number of users: |
1 |
Current number of tunnels: |
0 |
Current number of connections: |
1 |