02-15-2014 03:21 PM - edited 03-11-2019 08:46 PM
We are so confused with the settings like per-client-max and conn-max in ASA. Here's our settings below for all tcp incoming to interface outside.
Class-map: TCP_SYN
Set connection policy: conn-max 60000 embryonic-conn-max 200 per-client-max 200 per-client-embryonic-max 5
current embryonic conns 5, current conns 10918, drop 47750
We got warning in ASA very often like below.
Per-client connection limit exceeded 200/200 for input packet from a.b.c.d/53065 to A.B.C.D/80 on interface outside
a.b.c.d is my home IP and A.B.C.D is one of server IP behind ASA.
sh conn address a.b.c.d
TCP outside a.b.c.d:52373 inside A.B.C.224:22, idle 0:00:01, bytes 52594, flags UIOB
TCP outside a.b.c.d:52250 inside A.B.C.224:22, idle 0:00:01, bytes 298514, flags UIOB
TCP outside a.b.c.d:50815 inside A.B.C.209:3389, idle 0:00:00, bytes 8138768, flags UIOB
TCP outside a.b.c.d:50816 inside A.B.C.225:22, idle 0:00:10, bytes 133602, flags UIOB
TCP outside a.b.c.d:53043 inside A.B.C.221:80, idle 0:00:01, bytes 5922, flags UIOB
TCP outside a.b.c.d:50072 inside A.B.C.221:80, idle 0:00:48, bytes 0, flags UB
TCP outside a.b.c.d:50073 inside A.B.C.221:80, idle 0:00:48, bytes 792, flags UIOB
TCP outside a.b.c.d:52559 inside A.B.C.221:22, idle 0:00:01, bytes 52692, flags UIOB
TCP outside a.b.c.d:52050 inside A.B.C.221:22, idle 0:00:01, bytes 1149892, flags UIOB
TCP outside a.b.c.d:52586 inside A.B.C.196:4000, idle 0:00:00, bytes 4069294, flags UIOB
Only 10 connections from a.b.c.d, why ASA says, it comes to limit 200/200. Once I close one browser, then I can browse again which means all limit settings work. However, no idea how ASA calculate the total connections for per-client ? We also see quite often like
Connection limit exceeded 10925/60000 for input packet from 67.105.106.14/1141 to A.B.C.207/139 on interface outside. Why only 10925, but it says limit 60000 ha been reached. We have two ASAs in two colo and this issue on both side. Thanks for your help.
02-19-2014 06:09 AM
Hi Michael,
The "per-client-max" setting is for all connections initiated from that client and passing through the ASA.
The "conn-max" was traditionally applied to the 'local-host' IP for the server, but with MPF, it will depend on the rest of your policy. However, something seems a miss if you are hitting the limit with only 10925 out of 60000 conns. What version are you running and on what platform?
David.
02-19-2014 08:23 AM
ASA Version: 8.6(1)2
ASDM Version: 6.6(1)
Firewall Mode: Transparent
Device Type: ASA 5525
For the warning related to per-client-max, we can see limit reached like 200/200 even "sh conn address ip" far less than 200. However, for warning related to conn-max, always got something like 10595/60000 and only one rule TCP_SYN has limit set as 60000. Please help. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide