Cisco Support Community
Community Member

manage TCP connections


I'm for a solution to the following problem:

Soon i'll have about 15k devices that connect to my company each using a TCP connection to verify that the devices and connections are still functioning properly. Each device will connect every few minutes. To reduce the load on the server I'd like to limit the amount of TCP connections per device per minute.

Is this possible with a router?

Which series of routers will I be looking at? (since i'm pretty sure this isn't possible/viable on a small buisiness router)

Is it better to keep the TCP connection alive or to terminate it after it's done (short and low bandwidth connections)?

Everyone's tags (3)

manage TCP connections

It was a rather old function called TCP Intercept. You may use it.

Then it was converted into CBAC (Content-based Access Control). It is also applicable.

Now it is ZBF (Zone-based Firewalling). It is most modern and you also may use it.

You need ISR or ISR G2 with Advanced Security IOS (or Security license) and appropriate perfomance.

Killing or retaining TCP session is based on your application, I think.

Community Member

manage TCP connections

I checked out ZBF and it looks like it's only capable of terminating  half open connections, but not preventing new connections from the same  IP without affecting connections from other IPs.


manage TCP connections

You should use config like this

parameter-map type inspect TCP_PARAMS

     one-minute high 100

     one-minute low 10

class-map type inspect TCP

     match ...

policy-map type inspetc TCP_POLICY

     class type inspect TCP

          inspect tcp TCP_PARAMS

and apply it to zone-pair. It will not work per host, but you may restrict an overall number of connections per minute for a group of hosts (configuring match statement in class-map).

Community Member

manage TCP connections

I'll give you some background.

I'm working for an independant alarm central/control room.

Soon providers will stop with analog connections so we'll have to switch all devices to IP.

We want to use this transition to improve our service (end-to-end test happens now standard once every day) to end-to-end tests every 5 min. But alarm devices are known to have a technical hick-up once in a while which makes them to try to connect more then they should. Which may put the server under (too much) stress.

It's not possible to limit the total amount of tcp connections since if a few are acting up, the amount of tcp connections will be saturated and a real alarm might be dropped.

At this moment I gave up on the idea of being able to do that on the router (which would have saved costs), but now I'm looking if it's possible with Snort

CreatePlease to create content