Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1110
Views
0
Helpful
3
Replies

FWSM: differing connection count with congestion

Bernhard Kohl
Level 1
Level 1

‎11-14-2011 01:00 AM - edited ‎03-11-2019 02:50 PM

Hello,

I would like to ask if this is a known issue and if there is a remedy:

When issuing a "sh local-host <ip-address>" I often get an increasing count of connections for this address, whereas a "sh conn local <ip-address>" and a snmp query with .1.3.6.1.2.1.123.1.6.1.9 both show a different (and much lower) count.

Unfortunately, the pretended count of active connections "sh local-host <ip-address>" seems to cause trouble so that new connections are declined and I have to "clear local-host <ip-address>".

So my questions are:

1. Why is there a different count with "sh local-host <ip-address>" and "sh conn local <ip-address>" (or SNMP query)?

2. How may I prevent this connection congestion?

(Yes, we have static connection limits, but this is curing the sympton not the root of wrong accumulated connections.)

Thank you very much in advance for any clue!

Kind regards,

Bernhard

Labels:
0 Helpful
3 Replies 3

mirober2
Cisco Employee
Cisco Employee

‎11-19-2011 06:42 AM

Hi Bernhard,

It's possible that the counters are not synchronized correctly if the network processors (NPs) are receiving too much traffic and are oversubscribed. If you see the thresholds in 'show np block' increasing, this could potentially cause these symptoms. The solution would be to move some of the load off of the FWSM to prevent oversubscription of the NPs.

-Mike

0 Helpful

Bernhard Kohl
Level 1
Level 1
In response to mirober2

‎11-21-2011 06:01 AM

Hi Mike,

Thank you very much for your hint! Unfortunatetly, it's still not possible to query 'np block' per snmp and move load isn't really a solution.

What's strange is that this symptom strengthens when there are static entries to limit connections. So it seems that connection limits increase the problem instead of solving it.

0 Helpful

Bernhard Kohl
Level 1
Level 1
In response to mirober2

‎11-22-2011 12:20 AM

Hi,

I would like to add another question:

From Mike's answer I understand that the counter may differ if there is a heavy load on the NPs.

What would be of interest is why the counter from sh local-conn doesn't come "back to reality" after a while and lowers the connection count according to the "real" connections shown by sh conn-local?

It's keeping summing up and causes trouble. It lowers its count only by a clear local-host command. This seems buggy to me.

Does someone know a procedure to handle this? Manually issuing clear local-host commands isn't really funny.

Thanks in advance!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card