02-08-2006 04:50 PM - edited 03-09-2019 01:52 PM
Is it possible to do this on a per host basis? The problem we are having is that the PIX has too many open UDP connections and then can't open new ones hence affecting other users. Finding the one/ones with thousands on connections and clearing them restores traffic but we were hoping to be able to limit each host to a set number of concurrent UDP connections (TCP as well).
Thanks!
02-08-2006 10:45 PM
Hi,
I will suggest to check why you have so many open UDP connections.The default timeout value for idle UDP connection is 2min and pix will clear them if its idle for more than 2min.
What software version are you running ?
We can limit the Max. no. of connection for both TCP and UDP and is configured with NAT.
for e.g
This Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. The default is 0, which means unlimited connections.
nat (inside) 1 10.1.1.0 255.255.255.0 [max_conn] [emb_conn]
static (inside,outside) x.x.x.x x.x.x.x mask x.x.x.x [max_conn] [emb_conn]
Regards,
Tanveer
02-09-2006 02:03 AM
You could limit the number of connections on a per host basis using service-policy
a) Create access-list to identify your traffic
access-list udp permit udp any
b) Create class map and use
Class map UDP-LIMIT
match access-list udp
c) Use the class map in a policy-map
policy-map
class UDP-limit
set connection limit....
d) apply the policy map to ineterface using service-policy or modify the global policy-map
service-policy in interface
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: