cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
686
Views
0
Helpful
7
Replies

Embryonic connection limits per VPN

networker99
Level 1
Level 1

Can you assign embryonic connection limits to each VPN (site-to-site) or can it only be assigned globally or on a per interface basis?

Also what is the difference between a half opened connection and an embryonic connection?

Thanks!

7 Replies 7

Marcin Latosiewicz
Cisco Employee
Cisco Employee

I assume we're talking about ASA?

Emrionic and half open connections are same thing or at least in context of what ASA is doing (Connection that still didn't receive SYN-ACK)

You can set the number of those via MPF, with whatever a class can match - in particular if you want to set embryonic limit on particular crypto map entry you can used the same access-list to mach traffic.

Thanks, and do I just apply the policy to the outside interface (and yes this is an ASA)... or is there a way to apply to the crypto map?

There is no way to apply it to crypto map.

I believe the proper place to apply it is "global" policy rather then per interface.

Here's a decent configuration example:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html#wp1088544

Marcin

Thanks, If you do apply it to an interface, will this disable the global policy, or just work alongside it (with the interface policy being looked at first?)

They will work alongside each other.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/mpf.html

Service Policy Guidelines

Interface service policies take  precedence over the global service policy for a given feature. For  example, if you have a global policy with FTP inspection, and an  interface policy with TCP normalization, then both FTP inspection and  TCP normalization are applied to the interface. However, if you have a  global policy with FTP inspection, and an interface policy with FTP  inspection, then only the interface policy FTP inspection is applied to  that interface.

You can only apply one global policy.  For example, you cannot create a global policy that includes feature set  1, and a separate global policy that includes feature set 2. All  features must be included in a single policy.

Also.. am I correct in assuming that VPN peers (site-2-site) are still subject to the default global policy?

Yes, as far as I'm aware MPF is agnostic if traffic belongs to VPN, only expcetion being QoS configuration where you have "match tunnel-group" command.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: