×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How to set a maximum download size per connection in the ASA?

Answered Question
May 21st, 2012
User Badges:

Hi, I would like to avoid big downloads so I want to set a maximum download file size. How can I set the limit MB allowed per connection in the ASA?

Thanks

Correct Answer by Julio Carvajal about 5 years 2 months ago

Hello,


Yes, you will be able to do that using the Modular Policy Framework (MPF)


access-list test permit tcp host x.x.x.x host y.y.y.y eq 80


class-map test

match access-list test


policy-map global_policy

class test

set connection timeout x.x.



Regards,


Julio

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.2 (6 ratings)
Loading.
Julio Carvajal Mon, 05/21/2012 - 10:06
User Badges:
  • Purple, 4500 points or more

Hello Jmprats,


Being honest to you I know we can configure timeouts for particular connections or the maximun amount of connections per host.

We can also configure the maximum bandwitht that a particular traffic pattern can have but I am almost sure there is no option to limit a connection based on the download size of a connection ( ASA speaking)


Regards,


Julio

jmprats Tue, 05/22/2012 - 03:18
User Badges:

So, I suppose I will have to work with connections timeouts. Can I set different timeouts for differents source ip address?

Correct Answer
Julio Carvajal Tue, 05/22/2012 - 09:46
User Badges:
  • Purple, 4500 points or more

Hello,


Yes, you will be able to do that using the Modular Policy Framework (MPF)


access-list test permit tcp host x.x.x.x host y.y.y.y eq 80


class-map test

match access-list test


policy-map global_policy

class test

set connection timeout x.x.



Regards,


Julio

Andrew Phirsov Wed, 03/06/2013 - 09:54
User Badges:
  • Silver, 250 points or more

Is it possible to set connection tieout in the newer versions (ie 8.4, 9.1)? Not idle or tcp-embriotic or smth, but timeout for regular legitimate connections. Just as on example in previos post. In newer version i don't see such option. Any clue?

jocamare Wed, 03/06/2013 - 10:02
User Badges:
  • Silver, 250 points or more

Are we talking about a "timeout" for normal and working connections?


The function of the current timeouts is to free resources on the unit and provide protection.

Andrew Phirsov Wed, 03/06/2013 - 10:16
User Badges:
  • Silver, 250 points or more

I'm not sure u answered my question. Look at previos post by jcarvaja. See the commands? (particulary

set connection timeout x.x.). Is there a way to achieve this in newer versions. I.e. not set conection timeout idle/half-open/embriotic, but just set connection timeout without any other keywords.

Julio Carvajal Wed, 03/06/2013 - 10:19
User Badges:
  • Purple, 4500 points or more

Hello Andrew,


I got your question, but I think we might be confused here, I did not specify something after the timeout but when you configure it you will see you have the same options


Here is the configuration options on 8.2.5


ciscoasa(config-pmap-c)# set connection timeout ?



mpf-policy-map-class mode commands/options:

  dcd          Configure dead-connection-detection retry interval.

  embryonic    Configure absolute time after which an embryonic TCP connection

               will be closed, default is 0:00:30.

  half-closed  Configure idle time after which a TCP half-closed connection

               will be freed, default is 0:10:00

  idle         Configure idle time after which a connection state will be

               closed.



Now on an ASA running 8.4.4(9)

WPLG-ASA-1(config-pmap-c)# set connection timeout ?



mpf-policy-map-class mode commands/options:

  dcd          Configure dead-connection-detection retry interval.

  embryonic    Configure absolute time after which an embryonic TCP connection

               will be closed, default is 0:00:30.

  half-closed  Configure idle time after which a TCP half-closed connection

               will be freed, default is 0:10:00

  idle         Configure idle time after which a connection state will be

               closed.


So as you can see same options, no change at all


Hope that I could help


Remember to rate all of the helpful posts

Andrew Phirsov Wed, 03/06/2013 - 10:40
User Badges:
  • Silver, 250 points or more

I always thought that it was possible to generaly limit conn timeout for specific set of traffic (), but, as it turned out it can't be done. Interesting)

jmprats Tue, 03/12/2013 - 04:39
User Badges:

And back to the original question. Is there any way to monitor who is uploading or downloading?


I can monitor connection MBytes, but I cannot see which direction they are (upload or download).

Thanks

Julio Carvajal Sat, 03/16/2013 - 13:37
User Badges:
  • Purple, 4500 points or more

Hello,


Why dont you use Netflow on the ASA...


Of course you will need a software to be able to understand the netflow traffic from the ASA ( Records and templates), I would even recommend you to go with the PRTG software, a beauty that is for free ( just to 1 to 10 devices) and it will show you that stuff


Go ahead and get PRTG and enable SNMP on the ASA,


Cheers mate


Julio Carvajal Segura


Remember to rate all of the helpful posts

Actions

This Discussion

Related Content