embryonic session-limit drops

Unanswered Question
Jul 5th, 2007
User Badges:

A PIX-515 running v7.2(1) is continuously dropping packets because of exceeding the embryonic counter limit which is currently set to 500.

The sessions dropped are connection requests initiated from outside to internal clients which are prohibited by the ruleset (ACL). Why is the PIX dropping connection requests with the "embryonic session limit" feature and not with the ACL deny statement ? Unfortunately the PIX is also dropping legitimate TCP connections. What could be the reason for that and is there a way to influence this misbehaviour ?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
roland.sonder Fri, 07/13/2007 - 05:32
User Badges:

Hi Jaffer,

Meanwhile I opened a TAC case(606358461). After an in dept analysis one can say that this is a normal behaviour.


TAC response:

When a new packet arrives, the PIX always carries out the checks in the following order (packet-tracer output):

Step 1: FLOW-LOOKUP

Step 2: UN-NAT <-- hit embryonic

Step 3: ACCESS-LIST


The embryonic counter could increase to the limit, because someone (probably) tried a syn-flood attack or an excessive port scan with target address 193.135.2.129.

By chance, he hit any of the five open ports permitted via access-list 'outside_access_in') at least 500 times within the default embryonic timeout of 30 seconds.

After the embryonic counter exceeded, new connections to the same IP not matching a permit ACL are denied because the embryonic counter exceeded.

Connections explicitly allowed by an ACL are still possible!

Regards

Roland


jaffer_sathik2010 Fri, 07/13/2007 - 19:29
User Badges:

Hi Roland,


That means, If the pix device has a access-list permitting a ip 192.168.1.1 and embryonic conter reached at the maximum then a packet treversing to the ip 192.168.1.1 will be allowed by the PIX?


If allowed , I wonder what is the use of embrynic counter?


--Jaffer




bhgl Wed, 09/12/2007 - 07:34
User Badges:

Hi,


we have also this problem with PIX 7.2.3 from Outside to a DMZ Interface with a mailsystem as destination. I get the syslog: >%PIX-6-201010: Embryonic connection limit exceeded 100/100 for inbound packet from xxx.xxx.xxx.xxx/1049 to xxx.xxx.xxx.xxx/25 on interface outside

So i have only the limit of embryonic connections in a static command not in a policy-map with a set connection statement.

I've tried to remove the static command, clear the xlates and set it new, no change is visible: I get still this syslog messages. please can anybody help?

Actions

This Discussion