Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FWSM: differing connection count with congestion


I would like to ask if this is a known issue and if there is a remedy:

When issuing a "sh local-host <ip-address>" I often get an increasing count of connections for this address, whereas a "sh conn local <ip-address>" and a snmp query with . both show a different (and much lower) count.

Unfortunately, the pretended count of active connections "sh local-host <ip-address>" seems to cause trouble so that new connections are declined and I have to "clear local-host <ip-address>".

So my questions are:

1. Why is there a different count with "sh local-host <ip-address>" and "sh conn local <ip-address>" (or SNMP query)?

2. How may I prevent this connection congestion?

(Yes, we have static connection limits, but this is curing the sympton not the root of wrong accumulated connections.)

Thank you very much in advance for any clue!

Kind regards,


Everyone's tags (2)

FWSM: differing connection count with congestion

Hi Bernhard,

It's possible that the counters are not synchronized correctly if the network processors (NPs) are receiving too much traffic and are oversubscribed. If you see the thresholds in 'show np block' increasing, this could potentially cause these symptoms. The solution would be to move some of the load off of the FWSM to prevent oversubscription of the NPs.


New Member

Re: FWSM: differing connection count with congestion

Hi Mike,

Thank you very much for your hint! Unfortunatetly, it's still not possible to query 'np block' per snmp and move load isn't really a solution.

What's strange is that this symptom strengthens when there are static entries to limit connections. So it seems that connection limits increase the problem instead of solving it.

New Member

FWSM: differing connection count with congestion


I would like to add another question:

From Mike's answer I understand that the counter may differ if there is a heavy load on the NPs.

What would be of interest is why the counter from sh local-conn doesn't come "back to reality" after a while and lowers the connection count according to the "real" connections shown by sh conn-local?

It's keeping summing up and causes trouble. It lowers its count only by a clear local-host command. This seems buggy to me.

Does someone know a procedure to handle this? Manually issuing clear local-host commands isn't really funny.

Thanks in advance!