Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3935
Views
0
Helpful
2
Replies

ASA per-client-max settings

hostingtt
Level 1
Level 1

‎02-15-2014 03:21 PM - edited ‎03-11-2019 08:46 PM

We are so confused with the settings like per-client-max and conn-max  in ASA. Here's our settings below for all tcp incoming to interface outside.

Class-map: TCP_SYN

      Set connection policy: conn-max 60000 embryonic-conn-max 200 per-client-max 200 per-client-embryonic-max 5

        current embryonic conns 5, current conns 10918, drop 47750

We got warning in ASA very often like below.

Per-client connection limit exceeded 200/200 for input packet from a.b.c.d/53065 to A.B.C.D/80 on interface outside

a.b.c.d is my home IP and A.B.C.D is one of server IP behind ASA.

sh conn address a.b.c.d

TCP outside a.b.c.d:52373 inside A.B.C.224:22, idle 0:00:01, bytes 52594, flags UIOB

TCP outside a.b.c.d:52250 inside A.B.C.224:22, idle 0:00:01, bytes 298514, flags UIOB

TCP outside a.b.c.d:50815 inside A.B.C.209:3389, idle 0:00:00, bytes 8138768, flags UIOB

TCP outside a.b.c.d:50816 inside A.B.C.225:22, idle 0:00:10, bytes 133602, flags UIOB

TCP outside a.b.c.d:53043 inside A.B.C.221:80, idle 0:00:01, bytes 5922, flags UIOB

TCP outside a.b.c.d:50072 inside A.B.C.221:80, idle 0:00:48, bytes 0, flags UB

TCP outside a.b.c.d:50073 inside A.B.C.221:80, idle 0:00:48, bytes 792, flags UIOB

TCP outside a.b.c.d:52559 inside A.B.C.221:22, idle 0:00:01, bytes 52692, flags UIOB

TCP outside a.b.c.d:52050 inside A.B.C.221:22, idle 0:00:01, bytes 1149892, flags UIOB

TCP outside a.b.c.d:52586 inside A.B.C.196:4000, idle 0:00:00, bytes 4069294, flags UIOB

Only 10 connections from a.b.c.d, why ASA says, it comes to limit 200/200. Once I close one browser, then I can browse again which means all limit settings work. However, no idea how ASA calculate the total connections for per-client ? We also see quite often like

Connection limit exceeded 10925/60000 for input packet from 67.105.106.14/1141 to A.B.C.207/139 on interface outside.  Why only 10925, but it says limit 60000 ha been reached. We have two ASAs in two colo and this issue on both side. Thanks for your help.

Labels:
0 Helpful
2 Replies 2

David White
Cisco Employee
Cisco Employee

‎02-19-2014 06:09 AM

Hi Michael,

The "per-client-max" setting is for all connections initiated from that client and passing through the ASA.

The "conn-max" was traditionally applied to the 'local-host' IP for the server, but with MPF, it will depend on the rest of your policy.  However, something seems a miss if you are hitting the limit with only 10925 out of 60000 conns.  What version are you running and on what platform?


David.

0 Helpful

hostingtt
Level 1
Level 1
In response to David White

‎02-19-2014 08:23 AM

ASA Version: 8.6(1)2

ASDM Version: 6.6(1)

Firewall Mode: Transparent

Device Type: ASA 5525

For the warning related to per-client-max, we can see limit reached like 200/200 even "sh conn address ip" far less than 200. However, for warning related to conn-max, always got something like 10595/60000 and only one rule TCP_SYN has limit set as 60000. Please help. Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card