Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA per-client-max settings

We are so confused with the settings like per-client-max and conn-max  in ASA. Here's our settings below for all tcp incoming to interface outside.

Class-map: TCP_SYN

      Set connection policy: conn-max 60000 embryonic-conn-max 200 per-client-max 200 per-client-embryonic-max 5

        current embryonic conns 5, current conns 10918, drop 47750

We got warning in ASA very often like below.

Per-client connection limit exceeded 200/200 for input packet from a.b.c.d/53065 to A.B.C.D/80 on interface outside

a.b.c.d is my home IP and A.B.C.D is one of server IP behind ASA.

sh conn address a.b.c.d

TCP outside a.b.c.d:52373 inside A.B.C.224:22, idle 0:00:01, bytes 52594, flags UIOB

TCP outside a.b.c.d:52250 inside A.B.C.224:22, idle 0:00:01, bytes 298514, flags UIOB

TCP outside a.b.c.d:50815 inside A.B.C.209:3389, idle 0:00:00, bytes 8138768, flags UIOB

TCP outside a.b.c.d:50816 inside A.B.C.225:22, idle 0:00:10, bytes 133602, flags UIOB

TCP outside a.b.c.d:53043 inside A.B.C.221:80, idle 0:00:01, bytes 5922, flags UIOB

TCP outside a.b.c.d:50072 inside A.B.C.221:80, idle 0:00:48, bytes 0, flags UB

TCP outside a.b.c.d:50073 inside A.B.C.221:80, idle 0:00:48, bytes 792, flags UIOB

TCP outside a.b.c.d:52559 inside A.B.C.221:22, idle 0:00:01, bytes 52692, flags UIOB

TCP outside a.b.c.d:52050 inside A.B.C.221:22, idle 0:00:01, bytes 1149892, flags UIOB

TCP outside a.b.c.d:52586 inside A.B.C.196:4000, idle 0:00:00, bytes 4069294, flags UIOB

Only 10 connections from a.b.c.d, why ASA says, it comes to limit 200/200. Once I close one browser, then I can browse again which means all limit settings work. However, no idea how ASA calculate the total connections for per-client ? We also see quite often like

Connection limit exceeded 10925/60000 for input packet from to A.B.C.207/139 on interface outside.  Why only 10925, but it says limit 60000 ha been reached. We have two ASAs in two colo and this issue on both side. Thanks for your help.

Everyone's tags (3)
Cisco Employee

ASA per-client-max settings

Hi Michael,

The "per-client-max" setting is for all connections initiated from that client and passing through the ASA.

The "conn-max" was traditionally applied to the 'local-host' IP for the server, but with MPF, it will depend on the rest of your policy.  However, something seems a miss if you are hitting the limit with only 10925 out of 60000 conns.  What version are you running and on what platform?


Community Member

Re: ASA per-client-max settings

ASA Version: 8.6(1)2

ASDM Version: 6.6(1)

Firewall Mode: Transparent

Device Type: ASA 5525

For the warning related to per-client-max, we can see limit reached like 200/200 even "sh conn address ip" far less than 200. However, for warning related to conn-max, always got something like 10595/60000 and only one rule TCP_SYN has limit set as 60000. Please help. Thanks.

CreatePlease to create content