Max conns and embryonic conns

tmarlow · ‎09-04-2007

I hate to drag this up and it is definitely a "it depends" question, but, I want to configure the max/embryonic conn information for the ASA5550 that I just purchased and unfortunately, I have no starting reference point for these settings. This box will be replacing a PIX 520, can I figure out good historical information from that? The servers that this box will be protecting are your basic Service Provider boxes, running web pages, ftp, mail, dns. I know that it also matters what the horsepower on the servers are, but given a 40k subscriber customer base and good up to date Sun servers, is there a good rule of thumb and how do I know if I'm off and need adjusting. Thanks for any advice, I would hate to leave them 0 0, like I always have.

Travis

oreggin80 · ‎09-04-2007

Hi Travis,

You should read this:

http://www.tech-mavens.com/synflood.htm

However I have a Cisco FWSM1 module and I set embryonic limit to 120 per NAT pool and per static.

JORGE RODRIGUEZ · ‎09-04-2007

Hi Travis, go over the begining of this link as well as under configuring connection limits and timeouts.

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/protect.html#wp1053110

HTH

Jorge

Jorge Rodriguez

srue · ‎09-04-2007

ask your server guys for what kinds of traffic they see. Hopefully, they have some sort of traffic statistics that they probably use for capacity planning.