set connection per-client-max

Unanswered Question
Aug 12th, 2008


I have an issue with some users that open up obsurd numbers of connections through the firewall at times due to filesharing, poorly written web apps, etc. I'd like to limit the number of connections per-host to say.. 100.

I've implemented the following configuration on a PIX515E running 7.2(4) and supporting about 100 users as a test before I implement it on our ASA5520s with 7.2(4) which support around 3000 users.

access-list limit-conns extended deny ip

access-list limit-conns extended deny ip

access-list limit-conns extended permit ip any

access-list limit-conns extended deny ip any any

class-map CONNS

match access-list limit-conns

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

inspect ils

inspect pptp

class CONNS

set connection per-client-max 75

service-policy global_policy global

It seems to be working, because from time-to-time I'll see the following messages in the syslog:

Aug 12 2008 11:53:22: %PIX-3-201013: Per-client connection limit exceeded 75/75 for input packet from to on interface inside

I have a perl script that I created that will log into the firewall and parse the connection data so I have an idea of who has how many connections open... With the above config in place and even when I see the syslog message, I check the connection counts and see hosts with 150-ish connections at times.

From what I have read, the policy should enforce the 75 connection limit shouldn't it? Is there somthing I'm missing? THanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Tue, 08/12/2008 - 11:19

I think the 75 is the limit for the connections 'initated' by the host and not the ones in which the initial SYN came from the other side (as in other hosts connecting to it). As per the Cisco Docs:

"A client is defined as the host that sends the initial packet of a connection (that builds the new connection) through the security appliance"

do a "show conn det | inc " and see the FLAGS of the connections. (only valid for TCP). You will find some are initiated from the other side. If these hosts are on the inside, the outside-initated connections will have UIOB flag (B = Initated from Outside)



rtjensen4 Tue, 08/12/2008 - 11:33

Hello, Thanks for the reply. I have read the documentation and I'm glad I understand it the same way you do. Here's an example of what I'm looking at. THis host has 155 connections open, yet the flags do not indicate that the connection is outside-back

See the Attachment. Thanks!

Farrukh Haroon Tue, 08/12/2008 - 11:59

See most of these connections have the FIN bit set (fF). They are just waiting to be removed I guess. I don't know what flags they check. Perhaps someone from the ASA dev/TAC team can shed light on this.




This Discussion