Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

max_conn & emb_limit

Unanswered Question
Nov 15th, 2006
User Badges:

Hi there,

What is the recommended value for the max_con & emb_limit

for example (web server)

static (inside,outside) netmask 0 0

i set to 80 30, still the webserver cannot be access with tcp syn flood continuously (for testing only)

i'm using pix506e, 6.3(5)


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
a.kiprawih Wed, 11/15/2006 - 20:20
User Badges:
  • Gold, 750 points or more

It really depends on your server's capabilities in handling connection/application request plus cpu/ram power. I would say no exact figure for that.

Maybe you can set a threshold of max conn to 1000 max connection, but set the half-open session @ embryonic level/limit to 200 or less.

This (emb_limit) at least allows you to control syn request to the server (and tcp sync attack), and see if you need to increase, maintain or lower the number.

But if you expect huge traffic or many users to access it, i.e e-commerce server/application, you can probably set the emb_limit higher and set the max conn to bigger no. But start at relatively smaller than 5,000 max connection or less.

Need to consider your internet line/bandwidth, i.e huge data to download vs smaller bandwidth or the other way round, as well as your PIX capacity in handling incoming connection (i.e PIX 506E vs PIX535 in handling expected 100,000 concurrent connection).



tonny_ecmyy Thu, 11/16/2006 - 16:41
User Badges:

Thanks for taking your time replying my message, good info for me, thanks dude..


This Discussion