Okay, I will admit, this is completely NON-business related... Here's the story:
I am using a Cisco router at home to support my DSL connection. I currently have it configured for NAT, CBAC, and VPN connections which are all working just fine. Recently, good ol' sierra just came out with the next version of CounterStrike (I've always been a sucker for first person shooters). The initial problem was as follows - when I would pull down a game server list, and my DSL connection would drop. I would get the following in my SYSLOG:
This completely hoses all my connections...SO, I turned the alerting (ip inspect alert-off) thinking this would solve the problem...Well, when I grabbed a new server list, the alerts did not appear, but the Ethernet interface still dropped the connection for 30 seconds or so then came back online...
Be careful about just blindly increasing the one-minute connection rates. Sure, increasing it to 2000 will probably resolve the issue, but it may leave you susceptible to attack if you're allowing connecitons inbound. By enabling CBAC you turned your router into a stateful firewall, so it is now keeping track of every TCP/UDP connection that goes through it. CBAC has inbuilt thresholds that say "if I see more than 500 connections per minute go through this router, then I'm going to assume there's an attack going on and I'll stop any other connections from proceeding".
You can see in the "getting aggressive" message that this is exactly what the route ris doing, the one-minute connection rate has hit 501, and so the router stops all other connections. when you download a server list it must open up a boatload of connections.
You can increase these limits by using the commands the previous poster suggested, but you need to increase them to a point where your connection stays up when you download a server list, but so that you'll also be protected during a real attack. This can take some time to play around with to get right, but it's worth it in the end.
I would start at 1000 connections for high, and always set your low limit (the value at which the router "calms down" and starts allowing new connections again) to 100 less than the high limit (in this case start with 900). Work your way up gradually if your connection still drops out every now and then.
Awesome - I think ya'll have solved it. Believe it or not, I'm going to need to take it above 2000. I've found (thanks to the information you gave) that when the game is listing the servers, it is actually opening a connection to each one. As of right now, when it reaches 2000, my connection drops. So essentially, I'll need to configure the router to support the maximum number of servers that the game sends messages to.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...