Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

embryonic session-limit drops

A PIX-515 running v7.2(1) is continuously dropping packets because of exceeding the embryonic counter limit which is currently set to 500.

The sessions dropped are connection requests initiated from outside to internal clients which are prohibited by the ruleset (ACL). Why is the PIX dropping connection requests with the "embryonic session limit" feature and not with the ACL deny statement ? Unfortunately the PIX is also dropping legitimate TCP connections. What could be the reason for that and is there a way to influence this misbehaviour ?

New Member

Re: embryonic session-limit drops

Hi reland,

According to the following cisco link, it is a bug.

Hope it helps.


New Member

Re: embryonic session-limit drops

Hi Jaffer,

Meanwhile I opened a TAC case(606358461). After an in dept analysis one can say that this is a normal behaviour.

TAC response:

When a new packet arrives, the PIX always carries out the checks in the following order (packet-tracer output):


Step 2: UN-NAT <-- hit embryonic


The embryonic counter could increase to the limit, because someone (probably) tried a syn-flood attack or an excessive port scan with target address

By chance, he hit any of the five open ports permitted via access-list 'outside_access_in') at least 500 times within the default embryonic timeout of 30 seconds.

After the embryonic counter exceeded, new connections to the same IP not matching a permit ACL are denied because the embryonic counter exceeded.

Connections explicitly allowed by an ACL are still possible!



New Member

Re: embryonic session-limit drops


New Member

Re: embryonic session-limit drops

Hi Roland,

That means, If the pix device has a access-list permitting a ip and embryonic conter reached at the maximum then a packet treversing to the ip will be allowed by the PIX?

If allowed , I wonder what is the use of embrynic counter?


New Member

Re: embryonic session-limit drops


we have also this problem with PIX 7.2.3 from Outside to a DMZ Interface with a mailsystem as destination. I get the syslog: >%PIX-6-201010: Embryonic connection limit exceeded 100/100 for inbound packet from to on interface outside

So i have only the limit of embryonic connections in a static command not in a policy-map with a set connection statement.

I've tried to remove the static command, clear the xlates and set it new, no change is visible: I get still this syslog messages. please can anybody help?

CreatePlease to create content