12-29-2011 11:40 PM - edited 03-11-2019 03:08 PM
I have 2 Cisco Asa 5540 which works on failover infrastructure. I want to change some DOS attack configuration for TCP SYN attacks. Because my asa firewall crached when our partner started their penetration test . But I am not sure for these value :
The conn-max n argument sets the maximum number of simultaneous TCP and/or UDP connections that are allowed, between 0 and 65535.
The embryonic-conn-max n argument sets the maximum number of simultaneous embryonic connections allowed, between 0 and 65535.
The per-client-embryonic-max n argument sets the maximum number of simultaneous embryonic connections allowed per client, between 0 and 65535.
The per-client-max n argument sets the maximum number of simultaneous connections allowed per client, between 0 and 65535.
! The following sets connection timeouts
ASA(config-pmap-c)# set connection timeout {[embryonic hh:mm:ss] {tcp hh:mm:ss
[reset]] [half-closed hh:mm:ss] [dcd hh:mm:ss [max_retries]]}
What is the best one for Asa 5540 ( Hardware: ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz )
Thank you very much.
Solved! Go to Solution.
12-29-2011 11:56 PM
Emin,
Regardless of scenario, ASA should not crash in production encironments. Please open a TAC case and include "show tech" and "show crash" outputs (or upgrade to newer release, if you're running something older).
The settings you list should be adapted to your traffic pattern , not to platform.
If you're looking to stop SYN flood, embryonic connections (embryonic-conn-max and per-client-embryonic-max) are what you're looking for. You might also look into connection timeouts (in MPF and globally).
M.
12-30-2011 12:55 AM
Emin,
Connection count wise even your peak is 75% of maximum:
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range
A real stress test would be to have DDoS attack (although I'd advise against it in production) ;-))
Can you share with me the SR number?
M.
12-29-2011 11:56 PM
Emin,
Regardless of scenario, ASA should not crash in production encironments. Please open a TAC case and include "show tech" and "show crash" outputs (or upgrade to newer release, if you're running something older).
The settings you list should be adapted to your traffic pattern , not to platform.
If you're looking to stop SYN flood, embryonic connections (embryonic-conn-max and per-client-embryonic-max) are what you're looking for. You might also look into connection timeouts (in MPF and globally).
M.
12-30-2011 12:16 AM
Thank you for your answer , already I opened case before wrote to support forum Ok I know that but the hardware capacity effect processing traffic size. Is it correct ? If it is correct , I try to learn maximum value for 5540 hardware capacity .
For example my conn count is :
ECZ-ASA/act# show conn count
23570 in use, 299784 most used
12-30-2011 12:55 AM
Emin,
Connection count wise even your peak is 75% of maximum:
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range
A real stress test would be to have DDoS attack (although I'd advise against it in production) ;-))
Can you share with me the SR number?
M.
12-30-2011 01:14 AM
Yes you right DDOS attack is best stress test . But first I have to pass DOS attack . Thank you very much for your answer. I use riverbed to understand our real traffic. Also I found crash's reason. It is about my nat configuration mistake so ASA cpu worked %100 . Thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide