ASA per-client-max settings

hostingtt — Tue, 12 Mar 2019 03:46:06 GMT

We are so confused with the settings like per-client-max and conn-max in ASA. Here's our settings below for all tcp incoming to interface outside.

Class-map: TCP_SYN

Set connection policy: conn-max 60000 embryonic-conn-max 200 per-client-max 200 per-client-embryonic-max 5

current embryonic conns 5, current conns 10918, drop 47750

We got warning in ASA very often like below.

Per-client connection limit exceeded 200/200 for input packet from a.b.c.d/53065 to A.B.C.D/80 on interface outside

a.b.c.d is my home IP and A.B.C.D is one of server IP behind ASA.

sh conn address a.b.c.d

TCP outside a.b.c.d:52373 inside A.B.C.224:22, idle 0:00:01, bytes 52594, flags UIOB

TCP outside a.b.c.d:52250 inside A.B.C.224:22, idle 0:00:01, bytes 298514, flags UIOB

TCP outside a.b.c.d:50815 inside A.B.C.209:3389, idle 0:00:00, bytes 8138768, flags UIOB

TCP outside a.b.c.d:50816 inside A.B.C.225:22, idle 0:00:10, bytes 133602, flags UIOB

TCP outside a.b.c.d:53043 inside A.B.C.221:80, idle 0:00:01, bytes 5922, flags UIOB

TCP outside a.b.c.d:50072 inside A.B.C.221:80, idle 0:00:48, bytes 0, flags UB

TCP outside a.b.c.d:50073 inside A.B.C.221:80, idle 0:00:48, bytes 792, flags UIOB

TCP outside a.b.c.d:52559 inside A.B.C.221:22, idle 0:00:01, bytes 52692, flags UIOB

TCP outside a.b.c.d:52050 inside A.B.C.221:22, idle 0:00:01, bytes 1149892, flags UIOB

TCP outside a.b.c.d:52586 inside A.B.C.196:4000, idle 0:00:00, bytes 4069294, flags UIOB

Only 10 connections from a.b.c.d, why ASA says, it comes to limit 200/200. Once I close one browser, then I can browse again which means all limit settings work. However, no idea how ASA calculate the total connections for per-client ? We also see quite often like

Connection limit exceeded 10925/60000 for input packet from 67.105.106.14/1141 to A.B.C.207/139 on interface outside. Why only 10925, but it says limit 60000 ha been reached. We have two ASAs in two colo and this issue on both side. Thanks for your help.

ASA per-client-max settings

David White — Wed, 19 Feb 2014 14:09:50 GMT

Hi Michael,

The "per-client-max" setting is for all connections initiated from that client and passing through the ASA.

The "conn-max" was traditionally applied to the 'local-host' IP for the server, but with MPF, it will depend on the rest of your policy. However, something seems a miss if you are hitting the limit with only 10925 out of 60000 conns. What version are you running and on what platform?

David.

Re: ASA per-client-max settings

hostingtt — Wed, 19 Feb 2014 16:23:24 GMT

ASA Version: 8.6(1)2

ASDM Version: 6.6(1)

Firewall Mode: Transparent

Device Type: ASA 5525

For the warning related to per-client-max, we can see limit reached like 200/200 even "sh conn address ip" far less than 200. However, for warning related to conn-max, always got something like 10595/60000 and only one rule TCP_SYN has limit set as 60000. Please help. Thanks.

topic ASA per-client-max settings in Network Security

ASA per-client-max settings

ASA per-client-max settings

Re: ASA per-client-max settings