Embryonic connection limits per VPN

Unanswered Question
Jul 6th, 2010

Can you assign embryonic connection limits to each VPN (site-to-site) or can it only be assigned globally or on a per interface basis?

Also what is the difference between a half opened connection and an embryonic connection?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcin Latosiewicz Tue, 07/06/2010 - 08:53

I assume we're talking about ASA?

Emrionic and half open connections are same thing or at least in context of what ASA is doing (Connection that still didn't receive SYN-ACK)

You can set the number of those via MPF, with whatever a class can match - in particular if you want to set embryonic limit on particular crypto map entry you can used the same access-list to mach traffic.

networker99 Tue, 07/06/2010 - 08:59

Thanks, and do I just apply the policy to the outside interface (and yes this is an ASA)... or is there a way to apply to the crypto map?

networker99 Tue, 07/06/2010 - 09:04

Thanks, If you do apply it to an interface, will this disable the global policy, or just work alongside it (with the interface policy being looked at first?)

Marcin Latosiewicz Tue, 07/06/2010 - 09:14

They will work alongside each other.


Service Policy Guidelines

Interface service policies take  precedence over the global service policy for a given feature. For  example, if you have a global policy with FTP inspection, and an  interface policy with TCP normalization, then both FTP inspection and  TCP normalization are applied to the interface. However, if you have a  global policy with FTP inspection, and an interface policy with FTP  inspection, then only the interface policy FTP inspection is applied to  that interface.

You can only apply one global policy.  For example, you cannot create a global policy that includes feature set  1, and a separate global policy that includes feature set 2. All  features must be included in a single policy.

networker99 Tue, 07/06/2010 - 09:11

Also.. am I correct in assuming that VPN peers (site-2-site) are still subject to the default global policy?

Marcin Latosiewicz Tue, 07/06/2010 - 09:15

Yes, as far as I'm aware MPF is agnostic if traffic belongs to VPN, only expcetion being QoS configuration where you have "match tunnel-group" command.


This Discussion