How to limit concurrent UDP connections PER host...

Unanswered Question
Feb 8th, 2006
User Badges:

Is it possible to do this on a per host basis? The problem we are having is that the PIX has too many open UDP connections and then can't open new ones hence affecting other users. Finding the one/ones with thousands on connections and clearing them restores traffic but we were hoping to be able to limit each host to a set number of concurrent UDP connections (TCP as well).


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
thamdani Wed, 02/08/2006 - 22:45
User Badges:

Hi,

I will suggest to check why you have so many open UDP connections.The default timeout value for idle UDP connection is 2min and pix will clear them if its idle for more than 2min.


What software version are you running ?


We can limit the Max. no. of connection for both TCP and UDP and is configured with NAT.


for e.g

This Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. The default is 0, which means unlimited connections.


nat (inside) 1 10.1.1.0 255.255.255.0 [max_conn] [emb_conn]


static (inside,outside) x.x.x.x x.x.x.x mask x.x.x.x [max_conn] [emb_conn]


Regards,

Tanveer


varakantam Thu, 02/09/2006 - 02:03
User Badges:

You could limit the number of connections on a per host basis using service-policy


a) Create access-list to identify your traffic

access-list udp permit udp any

b) Create class map and use

Class map UDP-LIMIT

match access-list udp

c) Use the class map in a policy-map


policy-map

class UDP-limit

set connection limit....

d) apply the policy map to ineterface using service-policy or modify the global policy-map


service-policy in interface


Actions

This Discussion