We have seen a dramatic rise in open connections on the ASA in the past couple days. From about 20,000 to close to 40,000 now. My first question is how efficiently monitor these connections. We graph the total number via SNMP, but in this case, I need to narrow down the problematic host(s). Currently, I am issuing a "sh conn", displaying all connections and then copying and pasting to a text file which I then load into a spreadsheet to sort. There has got to be a better way.
I am also not quite sure what to do about this situation. Using the method above, I can see that there are 15,000+ connections open to our mail servers (which is abnormal), but there is no abnormal usage or open tcp connections on the mail servers themselves. So what are these connections exactly? What should be done to minimize them?
Here is an example:
TCP out 220.127.116.11:3633 in 18.104.22.168:25 idle 0:08:36 bytes 15615 flags UfIOB
TCP out 22.214.171.124:4852 in 126.96.36.199:25 idle 0:38:58 bytes 15852 flags UfIOB
TCP out 188.8.131.52:5140 in 184.108.40.206:25 idle 0:00:55 bytes 2799 flags UfFRIOB
TCP out 220.127.116.11:60260 in 18.104.22.168:25 idle 0:00:15 bytes 1135 flags UfIOB
TCP out 22.214.171.124:62983 in 126.96.36.199:25 idle 0:00:04 bytes 483 flags UfOB
TCP out 188.8.131.52:63729 in 184.108.40.206:25 idle 0:04:12 bytes 759 flags UfIOB
I should also mention that approximately 11,000 of these 15,000 connections have the UfIOB flags.