07-05-2007 01:00 PM
A PIX-515 running v7.2(1) is continuously dropping packets because of exceeding the embryonic counter limit which is currently set to 500.
The sessions dropped are connection requests initiated from outside to internal clients which are prohibited by the ruleset (ACL). Why is the PIX dropping connection requests with the "embryonic session limit" feature and not with the ACL deny statement ? Unfortunately the PIX is also dropping legitimate TCP connections. What could be the reason for that and is there a way to influence this misbehaviour ?
07-13-2007 03:35 AM
Hi reland,
According to the following cisco link, it is a bug.
http://www.cisco.com/en/US/products/products_security_response09186a008059a411.html
Hope it helps.
--Jaffer
07-13-2007 05:32 AM
Hi Jaffer,
Meanwhile I opened a TAC case(606358461). After an in dept analysis one can say that this is a normal behaviour.
TAC response:
When a new packet arrives, the PIX always carries out the checks in the following order (packet-tracer output):
Step 1: FLOW-LOOKUP
Step 2: UN-NAT <-- hit embryonic
Step 3: ACCESS-LIST
The embryonic counter could increase to the limit, because someone (probably) tried a syn-flood attack or an excessive port scan with target address 193.135.2.129.
By chance, he hit any of the five open ports permitted via access-list 'outside_access_in') at least 500 times within the default embryonic timeout of 30 seconds.
After the embryonic counter exceeded, new connections to the same IP not matching a permit ACL are denied because the embryonic counter exceeded.
Connections explicitly allowed by an ACL are still possible!
Regards
Roland
07-13-2007 07:29 PM
a
07-13-2007 07:29 PM
Hi Roland,
That means, If the pix device has a access-list permitting a ip 192.168.1.1 and embryonic conter reached at the maximum then a packet treversing to the ip 192.168.1.1 will be allowed by the PIX?
If allowed , I wonder what is the use of embrynic counter?
--Jaffer
09-12-2007 07:34 AM
Hi,
we have also this problem with PIX 7.2.3 from Outside to a DMZ Interface with a mailsystem as destination. I get the syslog: >%PIX-6-201010: Embryonic connection limit exceeded 100/100 for inbound packet from xxx.xxx.xxx.xxx/1049 to xxx.xxx.xxx.xxx/25 on interface outside
So i have only the limit of embryonic connections in a static command not in a policy-map with a set connection statement.
I've tried to remove the static command, clear the xlates and set it new, no change is visible: I get still this syslog messages. please can anybody help?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide