https://community.cisco.com/t5/network-security/set-connection-per-client-max/m-p/1067023#M914666 <HTML><HEAD></HEAD><BODY><P>I think the 75 is the limit for the connections 'initated' by the host and not the ones in which the initial SYN came from the other side (as in other hosts connecting to it). As per the Cisco Docs:</P><P></P><P>"A client is defined as the host that sends the initial packet of a connection (that builds the new connection) through the security appliance"</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1384541" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1384541</A></P><P></P><P>do a "show conn det | inc <CLIENTIP>" and see the FLAGS of the connections. (only valid for TCP). You will find some are initiated from the other side. If these hosts are on the inside, the outside-initated connections will have UIOB flag (B = Initated from Outside)</CLIENTIP></P><P></P><P>Regards</P><P></P><P>Farrukh</P><P></P><P></P></BODY></HTML> Tue, 12 Aug 2008 18:19:53 GMT Farrukh Haroon 2008-08-12T18:19:53Z https://community.cisco.com/t5/network-security/set-connection-per-client-max/m-p/1067022#M914664 <P>Hello,</P><P></P><P>I have an issue with some users that open up obsurd numbers of connections through the firewall at times due to filesharing, poorly written web apps, etc. I'd like to limit the number of connections per-host to say.. 100.</P><P>I've implemented the following configuration on a PIX515E running 7.2(4) and supporting about 100 users as a test before I implement it on our ASA5520s with 7.2(4) which support around 3000 users.</P><P> access-list limit-conns extended deny ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 </P><P> access-list limit-conns extended deny ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0 </P><P> access-list limit-conns extended permit ip 10.4.5.0 255.255.255.0 any </P><P> access-list limit-conns extended deny ip any any </P><P></P><P> class-map CONNS</P><P> match access-list limit-conns</P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns preset_dns_map</P><P> inspect ftp</P><P> inspect h323 h225</P><P> inspect h323 ras</P><P> inspect netbios</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect skinny</P><P> inspect esmtp</P><P> inspect sqlnet</P><P> inspect sunrpc</P><P> inspect tftp</P><P> inspect sip</P><P> inspect xdmcp</P><P> inspect http</P><P> inspect ils</P><P> inspect pptp</P><P> class CONNS</P><P> set connection per-client-max 75</P><P>service-policy global_policy global</P><P></P><P>It seems to be working, because from time-to-time I'll see the following messages in the syslog:</P><P>Aug 12 2008 11:53:22: %PIX-3-201013: Per-client connection limit exceeded 75/75 for input packet from 10.4.5.183/2351 to 67.192.167.5/80 on interface inside</P><P></P><P>I have a perl script that I created that will log into the firewall and parse the connection data so I have an idea of who has how many connections open... With the above config in place and even when I see the syslog message, I check the connection counts and see hosts with 150-ish connections at times. </P><P>From what I have read, the policy should enforce the 75 connection limit shouldn't it? Is there somthing I'm missing? THanks. </P> Mon, 11 Mar 2019 13:30:14 GMT https://community.cisco.com/t5/network-security/set-connection-per-client-max/m-p/1067022#M914664 rtjensen4 2019-03-11T13:30:14Z https://community.cisco.com/t5/network-security/set-connection-per-client-max/m-p/1067023#M914666 <HTML><HEAD></HEAD><BODY><P>I think the 75 is the limit for the connections 'initated' by the host and not the ones in which the initial SYN came from the other side (as in other hosts connecting to it). As per the Cisco Docs:</P><P></P><P>"A client is defined as the host that sends the initial packet of a connection (that builds the new connection) through the security appliance"</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1384541" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1384541</A></P><P></P><P>do a "show conn det | inc <CLIENTIP>" and see the FLAGS of the connections. (only valid for TCP). You will find some are initiated from the other side. If these hosts are on the inside, the outside-initated connections will have UIOB flag (B = Initated from Outside)</CLIENTIP></P><P></P><P>Regards</P><P></P><P>Farrukh</P><P></P><P></P></BODY></HTML> Tue, 12 Aug 2008 18:19:53 GMT https://community.cisco.com/t5/network-security/set-connection-per-client-max/m-p/1067023#M914666 Farrukh Haroon 2008-08-12T18:19:53Z https://community.cisco.com/t5/network-security/set-connection-per-client-max/m-p/1067024#M914669 <HTML><HEAD></HEAD><BODY><P>Hello, Thanks for the reply. I have read the documentation and I'm glad I understand it the same way you do. Here's an example of what I'm looking at. THis host has 155 connections open, yet the flags do not indicate that the connection is outside-back</P><P>See the Attachment. Thanks!</P><P></P><P> </P><P></P></BODY></HTML> Tue, 12 Aug 2008 18:33:58 GMT https://community.cisco.com/t5/network-security/set-connection-per-client-max/m-p/1067024#M914669 rtjensen4 2008-08-12T18:33:58Z https://community.cisco.com/t5/network-security/set-connection-per-client-max/m-p/1067025#M914670 <HTML><HEAD></HEAD><BODY><P>See most of these connections have the FIN bit set (fF). They are just waiting to be removed I guess. I don't know what flags they check. Perhaps someone from the ASA dev/TAC team can shed light on this.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Tue, 12 Aug 2008 18:59:33 GMT https://community.cisco.com/t5/network-security/set-connection-per-client-max/m-p/1067025#M914670 Farrukh Haroon 2008-08-12T18:59:33Z