We have seen a dramatic rise in open connections on the ASA in the past couple days. From about 20,000 to close to 40,000 now. My first question is how efficiently monitor these connections. We graph the total number via SNMP, but in this case, I need to narrow down the problematic host(s). Currently, I am issuing a "sh conn", displaying all connections and then copying and pasting to a text file which I then load into a spreadsheet to sort. There has got to be a better way.
I am also not quite sure what to do about this situation. Using the method above, I can see that there are 15,000+ connections open to our mail servers (which is abnormal), but there is no abnormal usage or open tcp connections on the mail servers themselves. So what are these connections exactly? What should be done to minimize them?
Here is an example:
TCP out 126.96.36.199:3633 in 188.8.131.52:25 idle 0:08:36 bytes 15615 flags UfIOB
TCP out 184.108.40.206:4852 in 220.127.116.11:25 idle 0:38:58 bytes 15852 flags UfIOB
TCP out 18.104.22.168:5140 in 22.214.171.124:25 idle 0:00:55 bytes 2799 flags UfFRIOB
TCP out 126.96.36.199:60260 in 188.8.131.52:25 idle 0:00:15 bytes 1135 flags UfIOB
TCP out 184.108.40.206:62983 in 220.127.116.11:25 idle 0:00:04 bytes 483 flags UfOB
TCP out 18.104.22.168:63729 in 22.214.171.124:25 idle 0:04:12 bytes 759 flags UfIOB
I should also mention that approximately 11,000 of these 15,000 connections have the UfIOB flags.