Connections per user

cgarringer · ‎06-21-2011

I have a WAVE 474 running v4.2.3. I see 20-30 connections per user, with several to the same host and sequential ports. Ex. x.x.x.y:56678, 56679, 56680.. to 56685 going to x.x.x.z:3456...3480. Is this correct? I am running out of TFO connections on this box and am not sure what is going on. I have 3 other sites with 474's and the connections/user appear to be much lower.

Michael Korenbaum · ‎06-21-2011

Hi,

This type of behavior is usually indicative of a virus or maybe a security scanner of sorts on your network.

The fact that WAAS is optimizing the flows and taking up TFO resources is unfortunate, but there is not much you can do from a WAAS perspective to stop these PC's from consuming your TFO resources.

An interim work around would be to use a WCCP redirect list or an inline interception ACL (whichever is applicable to that site) and bypass those IPs completely from WAAS interception.

However, the long term solution would be resolving the virus/ disabling the security scanner.

Regards,

Mike Korenbaum

Cisco Data Center PDI Help Desk - http://www.cisco.com/go/pdihelpdesk

smnambia · ‎06-21-2011

I would start by putting in a policy for that host ip and making that traffic pass-through,so that your optimized connection count does not get used by that host.

Then you would need to check on that host ip and try to verify if its some kind of network attack etc....Surely not normal to see just one host ip using so many tcp connections and also why just on this one site and not all the other sites.

Regards

-Smita