Solved: Cisco ASA 5540 best DOS attack value

eminparmaksizoglu · ‎12-29-2011

I have 2 Cisco Asa 5540 which works on failover infrastructure. I want to change some DOS attack configuration for TCP SYN attacks. Because my asa firewall crached when our partner started their penetration test . But I am not sure for these value :

The conn-max n argument sets the maximum number of simultaneous TCP and/or UDP connections that are allowed, between 0 and 65535.

The embryonic-conn-max n argument sets the maximum number of simultaneous embryonic connections allowed, between 0 and 65535.

The per-client-embryonic-max n argument sets the maximum number of simultaneous embryonic connections allowed per client, between 0 and 65535.

The per-client-max n argument sets the maximum number of simultaneous connections allowed per client, between 0 and 65535.

! The following sets connection timeouts
ASA(config-pmap-c)# set connection timeout {[embryonic hh:mm:ss] {tcp hh:mm:ss
[reset]] [half-closed hh:mm:ss] [dcd hh:mm:ss [max_retries]]}

What is the best one for Asa 5540 ( Hardware: ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz )

Thank you very much.

Marcin Latosiewicz · ‎12-29-2011

Emin,

Regardless of scenario, ASA should not crash in production encironments. Please open a TAC case and include "show tech" and "show crash" outputs (or upgrade to newer release, if you're running something older).

The settings you list should be adapted to your traffic pattern , not to platform.

If you're looking to stop SYN flood, embryonic connections (embryonic-conn-max and per-client-embryonic-max) are what you're looking for. You might also look into connection timeouts (in MPF and globally).

M.

View solution in original post

Marcin Latosiewicz · ‎12-30-2011

Emin,

Connection count wise even your peak is 75% of maximum:

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

A real stress test would be to have DDoS attack (although I'd advise against it in production) ;-))

Can you share with me the SR number?

M.

View solution in original post

Marcin Latosiewicz · ‎12-29-2011

Emin,

Regardless of scenario, ASA should not crash in production encironments. Please open a TAC case and include "show tech" and "show crash" outputs (or upgrade to newer release, if you're running something older).

The settings you list should be adapted to your traffic pattern , not to platform.

If you're looking to stop SYN flood, embryonic connections (embryonic-conn-max and per-client-embryonic-max) are what you're looking for. You might also look into connection timeouts (in MPF and globally).

M.

eminparmaksizoglu · ‎12-30-2011

Thank you for your answer , already I opened case before wrote to support forum Ok I know that but the hardware capacity effect processing traffic size. Is it correct ? If it is correct , I try to learn maximum value for 5540 hardware capacity .

For example my conn count is :

ECZ-ASA/act# show conn count

23570 in use, 299784 most used

Marcin Latosiewicz · ‎12-30-2011

Emin,

Connection count wise even your peak is 75% of maximum:

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

A real stress test would be to have DDoS attack (although I'd advise against it in production) ;-))

Can you share with me the SR number?

M.

eminparmaksizoglu · ‎12-30-2011

Yes you right DDOS attack is best stress test . But first I have to pass DOS attack . Thank you very much for your answer. I use riverbed to understand our real traffic. Also I found crash's reason. It is about my nat configuration mistake so ASA cpu worked %100 . Thank you very much.