ASA 5550 Open Connections Increase

Unanswered Question
Sep 19th, 2007

We have seen a dramatic rise in open connections on the ASA in the past couple days. From about 20,000 to close to 40,000 now. My first question is how efficiently monitor these connections. We graph the total number via SNMP, but in this case, I need to narrow down the problematic host(s). Currently, I am issuing a "sh conn", displaying all connections and then copying and pasting to a text file which I then load into a spreadsheet to sort. There has got to be a better way.

I am also not quite sure what to do about this situation. Using the method above, I can see that there are 15,000+ connections open to our mail servers (which is abnormal), but there is no abnormal usage or open tcp connections on the mail servers themselves. So what are these connections exactly? What should be done to minimize them?

Here is an example:

TCP out 86.195.154.184:3633 in 66.245.177.215:25 idle 0:08:36 bytes 15615 flags UfIOB

TCP out 86.195.154.184:4852 in 66.245.177.215:25 idle 0:38:58 bytes 15852 flags UfIOB

TCP out 83.20.185.182:5140 in 66.245.177.215:25 idle 0:00:55 bytes 2799 flags UfFRIOB

TCP out 69.40.127.71:60260 in 66.245.177.215:25 idle 0:00:15 bytes 1135 flags UfIOB

TCP out 24.132.222.168:62983 in 66.245.177.215:25 idle 0:00:04 bytes 483 flags UfOB

TCP out 24.132.222.168:63729 in 66.245.177.215:25 idle 0:04:12 bytes 759 flags UfIOB

I should also mention that approximately 11,000 of these 15,000 connections have the UfIOB flags.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
amritpatek Tue, 09/25/2007 - 11:19

These are half open connections which may be left after the client closing the connection but it is still active on ASA. It may happen because of TCP timeout value set at very high. If you need the connection timeout value for TCP to be set high for a certain IP flow, then it is recommended to use a policy map.

easycgi-cisco Tue, 09/25/2007 - 11:53

Thank you amritpatek. Yes, these connections were probably an attack against our mail servers. I will consider changing our timeouts.

Actions

This Discussion