Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA 5540 best DOS attack value

I have 2 Cisco Asa 5540 which works on failover infrastructure. I want to change some DOS attack configuration for TCP SYN attacks.  Because my asa firewall crached when our partner started their penetration test . But I am not sure for these value :

The conn-max n argument sets the maximum number of simultaneous TCP and/or UDP connections that are allowed, between 0 and 65535.

The embryonic-conn-max n argument sets the maximum number of simultaneous embryonic connections allowed, between 0 and 65535.

The per-client-embryonic-max n argument sets the maximum number of simultaneous embryonic connections allowed per client, between 0 and 65535.

The per-client-max n argument sets the maximum number of simultaneous connections allowed per client, between 0 and 65535.

! The following sets connection timeouts
ASA(config-pmap-c)# set connection timeout {[embryonic hh:mm:ss] {tcp hh:mm:ss
[reset]] [half-closed hh:mm:ss] [dcd hh:mm:ss [max_retries]]}

What is the best one for Asa 5540 ( Hardware:   ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz )

Thank you very much.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Cisco ASA 5540 best DOS attack value

Emin,

Regardless of scenario, ASA should not crash in production encironments. Please open a TAC case and include "show tech" and "show crash" outputs (or upgrade to newer release, if you're running something older).

The settings you list should be adapted to your traffic pattern , not to platform.

If you're looking to stop SYN flood, embryonic connections (embryonic-conn-max and  per-client-embryonic-max) are what you're looking for. You might also look into connection timeouts (in MPF and globally).

M.

Cisco Employee

Re: Cisco ASA 5540 best DOS attack value

Emin,

Connection count wise even your peak is 75% of maximum:

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

A real stress test would be to have DDoS attack (although I'd advise against it in production) ;-))

Can you share with me the SR number?

M.

4 REPLIES
Cisco Employee

Cisco ASA 5540 best DOS attack value

Emin,

Regardless of scenario, ASA should not crash in production encironments. Please open a TAC case and include "show tech" and "show crash" outputs (or upgrade to newer release, if you're running something older).

The settings you list should be adapted to your traffic pattern , not to platform.

If you're looking to stop SYN flood, embryonic connections (embryonic-conn-max and  per-client-embryonic-max) are what you're looking for. You might also look into connection timeouts (in MPF and globally).

M.

New Member

Re: Cisco ASA 5540 best DOS attack value

Thank you for your answer , already  I opened case before wrote to support forum   Ok I know that but the hardware capacity effect processing traffic size. Is it correct ? If it is correct , I try to learn maximum value for 5540 hardware capacity .

For example my conn count is :

ECZ-ASA/act# show conn count

23570 in use, 299784 most used

Cisco Employee

Re: Cisco ASA 5540 best DOS attack value

Emin,

Connection count wise even your peak is 75% of maximum:

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

A real stress test would be to have DDoS attack (although I'd advise against it in production) ;-))

Can you share with me the SR number?

M.

New Member

Cisco ASA 5540 best DOS attack value

Yes you right DDOS attack is best stress test . But first I have to pass DOS attack . Thank you very much for your answer. I use riverbed to understand our real traffic.  Also I found crash's reason. It is about my nat configuration mistake so ASA cpu worked %100 . Thank you very much.

1269
Views
0
Helpful
4
Replies
CreatePlease login to create content