Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Exceeded TCP/IP sessions

Hello,

I have a 7140 which has a firewall subset

The problem is that I'm getting extremely slow response on the network when the TCP/IP sessions on the firewall are exceeded.

I'm looking for some information on the symptoms that exceed TCP/IP sessions.

Does anyone have any good documents.

thanks

  • Other Security Subjects
2 REPLIES
Cisco Employee

Re: Exceeded TCP/IP sessions

This is quite a common occurrence on a busy router, since you can easily overrun the default threshold values so that the router thinks there's an attack going on and starts blocking new connections. You always need to monitor CBAC and set your values to a point where "normal" traffic doesn't exceed them, but in the event of an attack you'll be somewhat protected.

First off, if you're not filtering out Java applets, turn off the HTTP inspection, it only causes slow response and has no effect if you not filtering Java. The standard TCP inspection will take care of all the HTTP traffic and allow it back in.

Then you can use the following hidden command:

> sho ip inspect stat

to see what your current threshold values are set at and what level you're currently hitting. The deault threshold amounts are detailed here:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdcbac.htm#1001343

The max-incomplete-high and low and the one-minute high and low are what you'll want to increase if you're overrunning them with your standard traffic. There's no problem with increasing these, just don't make them enormous cause then even in the event of an attack you'll never hit them. You'll need to play around with them for a while and get them to a point where you're not hitting the thresholds with normal traffic, but where an increase in this traffic (suggesting a possible attack), would hit the limits.

The easiest way to see if your router has hit the limit is to turn on syslogging on it, when a thresold is reached you'll get a console message saying the router "is getting aggressive", meaning your high threshold value has been reached and the router is stopping new connections from coming through, deleting old ones, and generally slowing everything down. When you see a message "calming down", it means your low threshold value has been reached and the router is putting everything back to normal. Under normal circumstances you don't want to see the "getting aggressive" message cause it'll cause problems to your traffic.

New Member

Re: Exceeded TCP/IP sessions

Hello,

Thanks for the info.

regds

181
Views
0
Helpful
2
Replies
This widget could not be displayed.