Problems with latest ASA CSC Module

Unanswered Question
Jul 8th, 2009

We just recently upgraded the CSC module from version 6.2.1599.6 to 6.3.1172.0. It was running fine, but ever since then we've been getting occasional web timeouts and slow loading. No other config changes have been made.

In my syslog I'm seeing these two warnings:

LCSO-ASA1-CSC 21184512: 2009-07-08T15:05:08-0400 The maximum number of connections for HTTP has been reached. New connections will be kept in a backlog and may time out.

LCSO-ASA1-CSC 21184513: 2009-07-08T15:22:01-0400 The maximum number of connections for HTTP has returned to normal threshold.

It appears we're doing too many connections, but I don't know how to increase it or just let the maxed out connections through?

Thanks for any help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
robertson.michael Wed, 07/08/2009 - 11:50

Hi Adam,

I have not used 6.3 myself, but as far as I know there is no way to avoid connections being stored in a queue when the max number of HTTP connections is reached. The connection limit is fixed, so you won't be able to increase it either.

As an alternative, you could exempt certain IP addresses from the CSC policy all together, but this exemption would be in effect 100% of the time, not just when you went over the connection limit threshold.

If you are consistently hitting the connection limit, you might look into upgrading to a CSC-SSM-20, which has a higher connection limit, if you only have the -10 model.


adambaack Wed, 07/08/2009 - 11:52

Yep, unfortunately we have the CSC-SSM-20 with the 1000 user limit. Our rep is trying to get us to look at the Cisco Ironport devices to replace the module which they just sold us a year ago.

robertson.michael Wed, 07/08/2009 - 11:56

In that case, it sounds like the CSC isn't scalable enough for your environment. I have not used the Ironport devices myself. Best of luck.



This Discussion