Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Embryonic connection limits per VPN

Can you assign embryonic connection limits to each VPN (site-to-site) or can it only be assigned globally or on a per interface basis?

Also what is the difference between a half opened connection and an embryonic connection?

Thanks!

7 REPLIES
Cisco Employee

Re: Embryonic connection limits per VPN

I assume we're talking about ASA?

Emrionic and half open connections are same thing or at least in context of what ASA is doing (Connection that still didn't receive SYN-ACK)

You can set the number of those via MPF, with whatever a class can match - in particular if you want to set embryonic limit on particular crypto map entry you can used the same access-list to mach traffic.

New Member

Re: Embryonic connection limits per VPN

Thanks, and do I just apply the policy to the outside interface (and yes this is an ASA)... or is there a way to apply to the crypto map?

Cisco Employee

Re: Embryonic connection limits per VPN

There is no way to apply it to crypto map.

I believe the proper place to apply it is "global" policy rather then per interface.

Here's a decent configuration example:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html#wp1088544

Marcin

New Member

Re: Embryonic connection limits per VPN

Thanks, If you do apply it to an interface, will this disable the global policy, or just work alongside it (with the interface policy being looked at first?)

Cisco Employee

Re: Embryonic connection limits per VPN

They will work alongside each other.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/mpf.html

Service Policy Guidelines

Interface service policies take  precedence over the global service policy for a given feature. For  example, if you have a global policy with FTP inspection, and an  interface policy with TCP normalization, then both FTP inspection and  TCP normalization are applied to the interface. However, if you have a  global policy with FTP inspection, and an interface policy with FTP  inspection, then only the interface policy FTP inspection is applied to  that interface.

You can only apply one global policy.  For example, you cannot create a global policy that includes feature set  1, and a separate global policy that includes feature set 2. All  features must be included in a single policy.

New Member

Re: Embryonic connection limits per VPN

Also.. am I correct in assuming that VPN peers (site-2-site) are still subject to the default global policy?

Cisco Employee

Re: Embryonic connection limits per VPN

Yes, as far as I'm aware MPF is agnostic if traffic belongs to VPN, only expcetion being QoS configuration where you have "match tunnel-group" command.

208
Views
0
Helpful
7
Replies