Amer Networks E5Web GUI User Manual

Lockdown Mode

cOS Core will enter a state known as Lockdown Mode if certain license violations occur. While in
lockdown mode, only remote management traffic is allowed by the Clavister Security Gateway
and all other traffic will be dropped. Unlike the two hour time limit of Demonstration Mode, there
is no time limit with lockdown mode.

Causes of Lockdown Mode

Lockdown Mode is usually caused by the license file bound to the Clavister Security Gateway
being in some way invalid. Conditions that trigger lockdown mode include license date expiry,
using the license on the wrong hardware or an invalid license file signature.

Ending Lockdown Mode

When lockdown mode is entered, the condition can be terminated by installing a valid license or
removing the configuration violation that triggered the condition. Removing the current license
will cause cOS Core to enter the 2 hour demonstration mode from lockdown mode. This might
be necessary to allow traffic to flow to the Internet in order to download a new license file.

Behavior After Exceeding License Limits

When the administrator tries to change the cOS Core configuration in such a way that it exceeds
the limitations of the current license, it will not be possible to deploy the configuration. This
means that there is no disruption to live traffic if license parameters are exceeded.

This is similarly true when restoring a backup with a configuration that exceeds the limitations of
the installed license. cOS Core will detect if the restored configuration exceeds any license limits
and revert to the old configuration if it does.

The cOS Core objects that are subject to this behavior are as follows:
•

IPsecTunnel

•

L2TPClient

•

L2TPServer

•

L2TPv3Server

•

PPPoETunnel

•

SSLVPNInterface

•

RoutingTable

•

GRETunnel

•

VLAN

The behavior of IPsec is controlled by the license parameter PROP_TUNNELS. This limits the total
number of IPsecTunnel objects that can be created but also how many live IPsec tunnels can be
opened across the system. In a roaming clients situation, a single IPsecTunnel object could have
thousands of tunnels associated with it. If an attempt is made to set up a tunnel so that the total
number of IPsec tunnels across the system exceeds the PROP_TUNNELS limit, the attempt fails
and a log message is generated to indicate the license limit is exceeded.

If present, the PROP_PPPTUNNELS license parameter controls the combined total number of
L2TPClient, L2TPServer, L2TPv3Server and PPPoETunnel objects that can be created. If
PROP_PPPTUNNELS is not specified in a license, the value defaults to the same value as
PROP_TUNNELS.

The number of Route and IPRule objects are not subject to license restrictions although, for
backward compatibility, these appear as license parameters.

Chapter 2: Management and Maintenance

123