Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

api
New Member

How to configure nconns econns with static command on IOS 5.1(2)

Depending on the %PIX-3-201002 message I've tried to configure nconns.

using the following syntax:

static aaa.bbb.ccc.xxx aaa.bbb.ccc.xxx netmask 255.255.255.255 nconns econns

Unfortunately w/o any success. May somebody know how to do that.

  • Other Security Subjects
4 REPLIES
Cisco Employee

Re: How to configure nconns econns with static command on IOS 5.

What exactly is the problem here? Can you even enter the command and it then doesn't work the way you think it should, or are you getting some sort of syntax error when you type the command in?

The format is:

static (inside,outside) a.b.c.d a.b.c.d netmask 255.255.255.255 x y

where x is the maximum number of connections allowed through to the internal host, and y is the maximum number of half-open (incomplete TCP 3-way handshake) connections allowed through.

Of course your interfaces don't have to be "inside" and "outside" specifically, they can be whatever interfaces you have in the PIX.

api
New Member

Re: How to configure nconns econns with static command on IOS 5.

There is a MS-Exchange Server sending a growing bunch of mails, sometimes about 3000 a day. The server have more and more problems to deliver the Mail in time. SMTP log says "Unknown Host" at the same time PIX Syslog says "PIX-3-201002....".

I do not get syntax error. But if type "show xlate" nconns and econns will not be shown. When I type in show xlate count nothing happens no result just pix>.

Thank you for supporting me.

Cisco Employee

Re: How to configure nconns econns with static command on IOS 5.

If you're getting the 201002 syslog message, then that means you've specified an econns/nconns limit on the static for that Exchange server. If you're overrunning that limit then why not just set them to "0" then there's no limit on the number of connections that server can use up.

A "sho xlate" will not show you the values for nconns and econns, you have to do a "sho static" for that, but that's really just showing you the static's you have defined in your configuration.

Try a "sho conn count" when the problem happens.

api
New Member

Re: How to configure nconns econns with static command on IOS 5.

thanks a lot. that's what I've done during the morning. I have also tested the new config sending a email to about 300 receipients without any problem. Do you think no limit for econns is dangerous in case of SYN attacks? Some commands like sho perfmon will not work with 5.1 (2) is that right?

Kindly regards,

Axel

306
Views
0
Helpful
4
Replies
This widget could not be displayed.