12-26-2013 12:41 PM - edited 03-11-2019 08:22 PM
Hello-
I have setup a class-map to limit the number of connections for each separate contexts. I'm seeing an issue after applying it where the threshold is exceeding: "Drop-reason: (rm-conn-limit) RM connection limit reached"; however, the show resource usage shows the current and peak is no way near reaching the limit, only showing a couple of connections.
Version 9.1(4)
class default
limit-resource All 0
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
limit-resource Conns 0
class FW-GEN
limit-resource Conns 300000
class FW-EC
limit-resource Conns 300000
class FW-MAIN
limit-resource Conns 300000
class FW-MARK
limit-resource Conns 300000
class FW-PCI
limit-resource Conns 300000
class FW-BUBBLE
limit-resource Conns 100000
class FW-LAB
limit-resource VPN Other 10
limit-resource Conns 300000
Resource Current Peak Limit Denied Context
SSH 1 2 5 0 admin
ASDM 0 4 5 0 admin
Conns 3 7 unlimited 0 admin
Hosts 3 7 unlimited 0 admin
Inspects [rate] 0 7 unlimited 0 admin
Routes 2 2 unlimited 0 admin
Conns 0 40 99000 0 BUBBLE
Hosts 0 32 unlimited 0 BUBBLE
Conns [rate] 0 125 unlimited 0 BUBBLE
Inspects [rate] 0 25 unlimited 0 BUBBLE
Mac-addresses 0 2 65535 0 BUBBLE
SSH 0 2 5 0 LAB
Syslogs [rate] 0 147 unlimited 0 LAB
Conns 2 178 299000 22830 LAB
Xlates 3 423 unlimited 0 LAB
Hosts 3 72 unlimited 0 LAB
Conns [rate] 0 250 unlimited 0 LAB
Inspects [rate] 0 67 unlimited 0 LAB
Routes 9 10 unlimited 0 LAB
Other VPN Sessions 43 45 10 2 LAB
Other VPN Burst 0 1 0 0 LAB
Packet-Tracert input inside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rm-conn-limit) RM connection limit reached
Is there anything else I can check to see why the connection limit is being reached?
12-29-2013 12:36 PM
Hi
Has to be a new/Existing bug.
Please send me a message, if you need to solve this right away, go ahead and open a ticket.
Mike
02-04-2016 02:30 AM
I am having the exact same problem with ASA 5555 9.4, any updates on this?
02-22-2016 12:55 AM
- Make sure you have upgraded to the latest version of ASA, SFR and FMC versions
- Make sure you do not have have not set unlimited connection timeouts on the Inside-Interface
- Make sure you have left Inside-Interface Per-client-max = 0 (default) , Per-client-embryonic-max = 0 (default) and Idle= 0 (default)
That Solved the Problem For me!
12-29-2013 09:45 PM
limit on conn resources depend upon which hardware model you are using
this (http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wpxref10155 ) shows table per hardware.
I am also interested to know if this is bug in the OS.
JD...
12-30-2013 08:22 AM
I have opened up a ticket. I'll keep everyone posted on the findings.
The ASA hardware is a pair of 5585x SSP40 and it's not in production. We are only testing this in the LAB using multi context with a policy to restrict the number of connections so in case where one context gets overwhelmed, it won't affect the others. Looking for a simple class policy to apply to each context.
Thanks,
John
12-30-2013 09:14 AM
Looks like a new one. I found the ticket. Will keep an eye on it.
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: