×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Embryonic connection limit reached but PIX still passing traffic to Server

Unanswered Question
Feb 17th, 2003
User Badges:

I have a PIX running 6.1.4 and set the Embryonic connection limit to 50 on all the statics. We had an incident today that got me wondering if it is actually working.


The web server that sits behind a local director wih a virtual IP was showing over 7000 Syns from the "sh syn" command.


How could this be - the documentations states that the PIX should intercept any syn's over the 50 limit .


Has anyone had any experience with the embronic connection limit and how it should react?


Thanks,



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gfullage Mon, 02/17/2003 - 19:30
User Badges:
  • Cisco Employee,

An embyonic connection is one that has started but not yet completed, ie. the 3-way handshake has not completed. It is designed to prevent TCP SYN attacks thru to your internal servers.


What might be going on here is an issue with the Local Director. I presume your static in the PIX points to the virtual IP address of the LD, correct? I'm no LD expert, but if the LD answers the SYN for the server and completes the TCP connection with the originating host, then this would explain why the embryonic connection on the PIX was not reached.


Let me find out some more information for you in regard to how LD handles TCP SYN packets for virtual addresses.

gfullage Mon, 02/17/2003 - 19:39
User Badges:
  • Cisco Employee,

Hmmmm, OK, according to my resident LD wiz, it always sends the TCP SYN packet straight thru to the internal server(s), so that shoots my theory down in flames.


Are you sure the "sho syn" command in your web server shows outstanding TCP connections, or does it show the total number of connections? Did you definately set the embryonic limit and not the max-conns limit? Can you copy your static's in here (xxx out the global IP address). It still may be something to do with the LD in front of the server, but not sure what.


The embryonic connection limit in the PIX does work, I've used and tested it many times. What version are you running?

HEATH FREEL Tue, 02/18/2003 - 05:31
User Badges:

I am running 6.1.4 but also tried it on 6.2.2 - not sure if I attacked properly though.


The sh syn command is in the LD and it showed about 300 connections and 7000 syns. in the pix max conn in the static is set to 0 - which is unlimited.


static (inside,outside) x.x.x.x y.y.y.y 255.255.255.255 0 50


What tool did you use to test it - perhaps you can point me in the right direction.

Actions

This Discussion