Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
836
Views
0
Helpful
3
Replies

Embryonic connection limit reached but PIX still passing traffic to Server

HEATH FREEL
Level 1
Level 1

‎02-17-2003 07:13 PM - edited ‎02-20-2020 10:33 PM

I have a PIX running 6.1.4 and set the Embryonic connection limit to 50 on all the statics. We had an incident today that got me wondering if it is actually working.

The web server that sits behind a local director wih a virtual IP was showing over 7000 Syns from the "sh syn" command.

How could this be - the documentations states that the PIX should intercept any syn's over the 50 limit .

Has anyone had any experience with the embronic connection limit and how it should react?

Thanks,

0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎02-17-2003 07:30 PM

An embyonic connection is one that has started but not yet completed, ie. the 3-way handshake has not completed. It is designed to prevent TCP SYN attacks thru to your internal servers.

What might be going on here is an issue with the Local Director. I presume your static in the PIX points to the virtual IP address of the LD, correct? I'm no LD expert, but if the LD answers the SYN for the server and completes the TCP connection with the originating host, then this would explain why the embryonic connection on the PIX was not reached.

Let me find out some more information for you in regard to how LD handles TCP SYN packets for virtual addresses.

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to gfullage

‎02-17-2003 07:39 PM

Hmmmm, OK, according to my resident LD wiz, it always sends the TCP SYN packet straight thru to the internal server(s), so that shoots my theory down in flames.

Are you sure the "sho syn" command in your web server shows outstanding TCP connections, or does it show the total number of connections? Did you definately set the embryonic limit and not the max-conns limit? Can you copy your static's in here (xxx out the global IP address). It still may be something to do with the LD in front of the server, but not sure what.

The embryonic connection limit in the PIX does work, I've used and tested it many times. What version are you running?

0 Helpful

HEATH FREEL
Level 1
Level 1
In response to gfullage

‎02-18-2003 05:31 AM

I am running 6.1.4 but also tried it on 6.2.2 - not sure if I attacked properly though.

The sh syn command is in the LD and it showed about 300 connections and 7000 syns. in the pix max conn in the static is set to 0 - which is unlimited.

static (inside,outside) x.x.x.x y.y.y.y 255.255.255.255 0 50

What tool did you use to test it - perhaps you can point me in the right direction.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card