Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

Silver

Phantom Connections on FWSM

We have a transparent firewall context on a FWSM (code revision: 3.1(16).

Recently the number of tcp connections has been increasing to a point where it hits the limit defined in the static and new connections are denied. However a "show conn | inc x.x.x.148" doesn't show nearly the number of active connections the "show local-host" command might suggest.

A "clear local-host x.x.x.x" fixes the problem temporarily, but the problem resurfaces later (and on different hosts). Is there any way to see any more detail on these 11000+ connections?

xxx# sh local-host x.x.x.148 all

IPv4 local hosts:

local host: <x.x.x.148>, tcp conn(s)/limit = 11806/20000, embryonic(s)/limit = 4470/50 udp conn(s)/limit = 0/0

    Xlate(s):

        Global x.x.x.148 Local x.x.x.148

1 REPLY
Cisco Employee

Re: Phantom Connections on FWSM

The fact that you have ~12K conns from one host, out of which !5K are embryonic could mean there there might be some infection.

you can use "sh conn np 1, "sh conn np 2" and "sh conn np 3" and pipe for that ip to see if that gives you more info.

I hope it helps.

PK

292
Views
0
Helpful
1
Replies
CreatePlease to create content