Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

throttling a runaway host

We've got a security server running Retina that recently ran away and opened up tens of thousands of connections through our Pix 515E to devices it's supposed to scan. This caused memory on the PIX to run low, caused dropped connections on other sessions running through the pix, and generally made life unhappy. Quick solution was to unplug the server from the net, run a clear xlate, and put in a new access list with a line "deny ip host <server ip> any" in it to prevent it from reaching out again.

What I'm wondering is:

Is there a way to limit the number of TCP connections that particular host can initiate through the firewall?

Is there a way to clear ONLY the connections that host has opened, rather than the "clear xlate" command which kills ALL the sessions running through the firewall? The SA's and DBA's get annoyed when all their SSH sessions drop.

PIX OS is 6.3.5(125)


Re: throttling a runaway host

On PiX running 6.3, you can do it using the options max_conns /emb_limit of the static command.

But pix6.3 does not verify the TCP checksum of packets transiting through the firewall. It holds the half-open TCP connection open until the embryonic timeout in 2mins.

Because the firewall is holding a connection open, any additional packets with the same protocol, IP addresses, and ports will be treated as part of the existing half-open connection. In this case, a legitimate SYN packet following the malformed SYN will be discarded because it is outside of the window of acceptable sequence numbers established by the malformed packet.

However, if you upgrade to 7.0 or above then you can try something like this to check for tcp connections coming on any interface of the PIX.

access-list TCP-ACL permit tcp any any

class-map TCPX

match access-list TCP-ACL

policy-map global_policy

class TCPX

set connection conn-max 500

set connection embryonic-conn-max 200

set connection timeout embryonic 0:00:10

service-policy global_policy global


You can refer this doc.

Hope this helps.

New Member

Re: throttling a runaway host

New Member

Re: throttling a runaway host

An upgrade to 7.x or later is not an option at this time. And I don't know if the static command will work - keep in mind that the host here is INSIDE one firewall, reaching out to hosts outside that firewall and inside another. I'm trying to stop it at the inside interface of the first firewall.

New Member

Re: throttling a runaway host

You can use

clear xlate local ip_address command

New Member

Re: throttling a runaway host

Thanks - that appears to work - I'm going to test the procedure today.