Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2142
Views
0
Helpful
5
Replies

embryonic session-limit drops

roland.sonder
Level 1
Level 1

‎07-05-2007 01:00 PM

A PIX-515 running v7.2(1) is continuously dropping packets because of exceeding the embryonic counter limit which is currently set to 500.

The sessions dropped are connection requests initiated from outside to internal clients which are prohibited by the ruleset (ACL). Why is the PIX dropping connection requests with the "embryonic session limit" feature and not with the ACL deny statement ? Unfortunately the PIX is also dropping legitimate TCP connections. What could be the reason for that and is there a way to influence this misbehaviour ?

Labels:
0 Helpful
5 Replies 5

jaffer_sathik2010
Level 1
Level 1

‎07-13-2007 03:35 AM

Hi reland,

According to the following cisco link, it is a bug.

http://www.cisco.com/en/US/products/products_security_response09186a008059a411.html

Hope it helps.

--Jaffer

0 Helpful

roland.sonder
Level 1
Level 1
In response to jaffer_sathik2010

‎07-13-2007 05:32 AM

Hi Jaffer,

Meanwhile I opened a TAC case(606358461). After an in dept analysis one can say that this is a normal behaviour.

TAC response:

When a new packet arrives, the PIX always carries out the checks in the following order (packet-tracer output):

Step 1: FLOW-LOOKUP

Step 2: UN-NAT <-- hit embryonic

Step 3: ACCESS-LIST

The embryonic counter could increase to the limit, because someone (probably) tried a syn-flood attack or an excessive port scan with target address 193.135.2.129.

By chance, he hit any of the five open ports permitted via access-list 'outside_access_in') at least 500 times within the default embryonic timeout of 30 seconds.

After the embryonic counter exceeded, new connections to the same IP not matching a permit ACL are denied because the embryonic counter exceeded.

Connections explicitly allowed by an ACL are still possible!

Regards

Roland

0 Helpful

jaffer_sathik2010
Level 1
Level 1
In response to roland.sonder

‎07-13-2007 07:29 PM

a

0 Helpful

jaffer_sathik2010
Level 1
Level 1
In response to roland.sonder

‎07-13-2007 07:29 PM

Hi Roland,

That means, If the pix device has a access-list permitting a ip 192.168.1.1 and embryonic conter reached at the maximum then a packet treversing to the ip 192.168.1.1 will be allowed by the PIX?

If allowed , I wonder what is the use of embrynic counter?

--Jaffer

0 Helpful

bhgl
Level 1
Level 1

‎09-12-2007 07:34 AM

Hi,

we have also this problem with PIX 7.2.3 from Outside to a DMZ Interface with a mailsystem as destination. I get the syslog: >%PIX-6-201010: Embryonic connection limit exceeded 100/100 for inbound packet from xxx.xxx.xxx.xxx/1049 to xxx.xxx.xxx.xxx/25 on interface outside

So i have only the limit of embryonic connections in a static command not in a policy-map with a set connection statement.

I've tried to remove the static command, clear the xlates and set it new, no change is visible: I get still this syslog messages. please can anybody help?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents