We have seen a dramatic rise in open connections on the ASA in the past couple days. From about 20,000 to close to 40,000 now. My first question is how efficiently monitor these connections. We graph the total number via SNMP, but in this case, I need to narrow down the problematic host(s). Currently, I am issuing a "sh conn", displaying all connections and then copying and pasting to a text file which I then load into a spreadsheet to sort. There has got to be a better way.
I am also not quite sure what to do about this situation. Using the method above, I can see that there are 15,000+ connections open to our mail servers (which is abnormal), but there is no abnormal usage or open tcp connections on the mail servers themselves. So what are these connections exactly? What should be done to minimize them?
Here is an example:
TCP out 188.8.131.52:3633 in 184.108.40.206:25 idle 0:08:36 bytes 15615 flags UfIOB
TCP out 220.127.116.11:4852 in 18.104.22.168:25 idle 0:38:58 bytes 15852 flags UfIOB
TCP out 22.214.171.124:5140 in 126.96.36.199:25 idle 0:00:55 bytes 2799 flags UfFRIOB
TCP out 188.8.131.52:60260 in 184.108.40.206:25 idle 0:00:15 bytes 1135 flags UfIOB
TCP out 220.127.116.11:62983 in 18.104.22.168:25 idle 0:00:04 bytes 483 flags UfOB
TCP out 22.214.171.124:63729 in 126.96.36.199:25 idle 0:04:12 bytes 759 flags UfIOB
I should also mention that approximately 11,000 of these 15,000 connections have the UfIOB flags.
These are half open connections which may be left after the client closing the connection but it is still active on ASA. It may happen because of TCP timeout value set at very high. If you need the connection timeout value for TCP to be set high for a certain IP flow, then it is recommended to use a policy map.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...