Technical data
Firewall Load Balancing Guide
5 - 2 © 2012 Brocade Communications Systems, Inc. May 31, 2012
the other ServerIron does not need to create a new session for the same traffic flow.
• If the ServerIron already has a session entry for the packet, the ServerIron forwards the traffic to the firewall in
the session entry. All packets with the same source and destination addresses are forwarded to the same
firewall. Since the ServerIrons in a high-availability pair exchange session information, the same firewall is
used regardless of which ServerIron receives the traffic to be forwarded.
Layer 3/4 Sessions
The source and destination addresses in a session entry are Layer 3 or Layer 4.
• A Layer 3 session contains source and destination IP addresses.
• A Layer 4 session entry contains source and destination TCP and UDP port numbers in addition to IP
addresses.
The session entry type depends on whether you configure add application ports (TCP or UDP ports) to the firewall
configuration information on the ServerIron.
• If you do not configure application ports on a firewall, the ServerIron creates session entries using the source
and destination IP addresses only. All packets for a given pair of source and destination IP addresses is
always sent to the same firewall.
• If you configure an application port on a firewall, the ServerIron includes the source and destination TCP or
UDP port numbers in the session entries for the application. Packets for the same set of source and
destination IP addresses can be sent to different firewalls, depending on the source and destination TCP or
UDP port numbers in the packets. For example, if you configure TCP port 80 on the firewalls, the ServerIron
uses IP addresses and TCP port numbers in the session table entries for HTTP traffic.
Session Limits
To avoid overloading a firewall, the ServerIron does not forward a packet to a firewall if either of the following
conditions is true:
• The firewall already has the maximum allowed number of open sessions with the ServerIron. An open session
is represented by a session entry. By default, a firewall can have up to one million session entries on the
ServerIron. In a high-availability pair, the firewall can have up to one million combined on both ServerIrons.
You can change the maximum number of sessions on an individual firewall basis to a number from 1 –
1,000,000.
• The firewall has already received the maximum allowed number of new sessions within the previous one-
second interval. By default, the ServerIron will allow up to 65535 new sessions to the same firewall. The
maximum includes TCP and UDP sessions combined. You can change the maximum number of sessions
separately for TCP and UDP, to a value from 1 – 65535.
Session Aging
The ServerIron ages out inactive session entries. The aging mechanism differs depending on whether the session
entry is a Layer 3 entry or a Layer 4 entry:
• Layer 3 session entries – The ServerIron uses the sticky age timer to age out Layer 3 session entries. The
default sticky age is 5 minutes. You can change the sticky age to a value from 2 – 60 minutes.
• To change the timer, enter the server sticky-age <num> command at the global CONFIG level of the
CLI.
• Layer 4 session entries – The ServerIron clears a session entry that has TCP ports when the ServerIron
receives a TCP FIN or RESET to end the session. For a TCP session that ends abnormally, the ServerIron
uses the TCP age timer to age out the session. The ServerIron uses the UDP age timer to age out all UDP
sessions. The default TCP age timer is 30 minutes. The default UDP age timer is 5 minutes. You can
configure either timer to a value from 2 – 60 minutes.
• To change the TCP age timer, enter the server tcp-age <num> command at the global CONFIG level of
the CLI.