Embryonic connection limits per VPN

Unanswered Question
Jul 6th, 2010
User Badges:

Can you assign embryonic connection limits to each VPN (site-to-site) or can it only be assigned globally or on a per interface basis?

Also what is the difference between a half opened connection and an embryonic connection?


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Tue, 07/06/2010 - 08:53
User Badges:
  • Cisco Employee,

I assume we're talking about ASA?


Emrionic and half open connections are same thing or at least in context of what ASA is doing (Connection that still didn't receive SYN-ACK)


You can set the number of those via MPF, with whatever a class can match - in particular if you want to set embryonic limit on particular crypto map entry you can used the same access-list to mach traffic.

networker99 Tue, 07/06/2010 - 08:59
User Badges:

Thanks, and do I just apply the policy to the outside interface (and yes this is an ASA)... or is there a way to apply to the crypto map?

networker99 Tue, 07/06/2010 - 09:04
User Badges:

Thanks, If you do apply it to an interface, will this disable the global policy, or just work alongside it (with the interface policy being looked at first?)

Marcin Latosiewicz Tue, 07/06/2010 - 09:14
User Badges:
  • Cisco Employee,

They will work alongside each other.


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/mpf.html

Service Policy Guidelines

Interface service policies take  precedence over the global service policy for a given feature. For  example, if you have a global policy with FTP inspection, and an  interface policy with TCP normalization, then both FTP inspection and  TCP normalization are applied to the interface. However, if you have a  global policy with FTP inspection, and an interface policy with FTP  inspection, then only the interface policy FTP inspection is applied to  that interface.

You can only apply one global policy.  For example, you cannot create a global policy that includes feature set  1, and a separate global policy that includes feature set 2. All  features must be included in a single policy.

networker99 Tue, 07/06/2010 - 09:11
User Badges:

Also.. am I correct in assuming that VPN peers (site-2-site) are still subject to the default global policy?

Marcin Latosiewicz Tue, 07/06/2010 - 09:15
User Badges:
  • Cisco Employee,

Yes, as far as I'm aware MPF is agnostic if traffic belongs to VPN, only expcetion being QoS configuration where you have "match tunnel-group" command.

Actions

This Discussion