topic Re: Pix 515 -- Number of connections per host? in Network Security

Pix 515 -- Number of connections per host?

gavinfoster — Mon, 11 Mar 2019 20:20:15 GMT

Hello Experts,

On my Pix515E ASDM console I quite often see large surges in the total number of connections. I would like to find a convenient way to see what (or who) is causing this.

The command Show Local gives the answers but it returns details of each connection and I can't see a way to omit the detail. Show Conn Count just gives the total. Ideally I would like to get a summary of the number of connections (TCP/UDP) for each inside host. Is this possible?

On a related matter I have used........

static (inside,outside) 12.34.56.00 2.34.56.00 netmask 255.255.255.0 tcp 400 100 udp 200 

..........to limit the number of connections to a subnet.

This works and I see errors in the syslog when the limit is exceeded but when I change the limits and apply the changes, the syslog errors still show the previous limit being reached. How can I make changes to these connection limits take effect (without reloading the Pix)?

Many thanks

Re: Pix 515 -- Number of connections per host?

Shrikant Sundaresh — Wed, 13 Apr 2011 13:26:39 GMT

Hi Gavin,

Could you tell us which version of PIX you are running? The later versions do have modifications to the show local-host command to filter unnecessary data. If you tell the version you are running, then i can look up what options are available to you.

Secondly, I think you can run the command "clear xlate" to clear existing xlates, instead of rebooting the PIX. However, existing connections will get disconnected for a moment. So I would suggest to do this when minimal traffic is passing through the PIX.

Hope this helps.

-Shrikant

Re: Pix 515 -- Number of connections per host?

gavinfoster — Wed, 13 Apr 2011 13:47:20 GMT

Hi Shrikant,

Thanks for your reply.

The pix version number is 8.0(3) but I have another unit which has 8.0(4) which I will be using in this role soon. ASDM is 6.0(3)

Does "Clear "Xlate" only clear NAT translations or all connections? Most of my traffic is using public IP addresses and not NATted.

Many thanks

Gavin

Re: Pix 515 -- Number of connections per host?

brquinn — Wed, 13 Apr 2011 16:02:47 GMT

Gavin,

An easy way to test would be to creat a connection through your pix and then run the 'clear xlate' command and see if the session drops. The short answer is no, the conns are not torn down. When you run the 'clear xlate' command existing connections stay up.

After making changes to your conn or embryonic conn limits in your static, you need to clear the xlate before the changes will take effect. Note that you can also change these limits in the MPF. This is now the preferred method and it can be configured to be much more granular.

Ex:

access-list tcp_acl permit tcp 10.1.1.0 255.255.255.0 any

access-list tcp_acl permit tcp 10.2.2.0 255.255.255.0 any

class-map tcp_class

match access-list tcp_acl

policy-map global_policy

class tcp_class

set connection per-client-max 100 per-client-embryonic-max 50

Thanks,

Brendan