Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4895
Views
0
Helpful
3
Replies

ASA 5550 NAT - %ASA-3-201011: Connection limit exceeded

drumrb0y
Level 1
Level 1

‎10-02-2012 07:33 AM - edited ‎03-11-2019 05:02 PM 

I've got an ASA 5550 running Software Version: 8.2(2);
 
I replaced two static NAT commands below with new commands to change the
connection limits:

no static (inside,outside) ggg.ggg.ggg.118 ppp.ppp.ppp.118 netmask 255.255.255.255 tcp 500 1000 
static (inside,outside) ggg.ggg.ggg.118 ppp.ppp.ppp.118 netmask 255.255.255.255 tcp 5000 5000 

no static (inside,outside) ggg.ggg.ggg.229 ppp.ppp.ppp.229 netmask 255.255.255.255 tcp 1000 0 
static (inside,outside) ggg.ggg.ggg.229 ppp.ppp.ppp.229 netmask 255.255.255.255 tcp 5000 5000 ~~ However, I am still getting connection limit exceeded messages in the log:

Oct 02 2012 10:01:22: %ASA-3-201011: Connection limit exceeded 500/500 for inbound packet
from 169.139.16.2/59278 to ggg.ggg.ggg.118/443 on interface outside

Help! This is a mission-critical application that is being affected.

Thanks!

Message was edited by: Marc Chin

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-02-2012 09:40 AM

Hello Marc,

Did you clear the xlate table?

Please do the following

Clear xlate local ggg.ggg.ggg.229

clear local-host  ggg.ggg.ggg.229

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

drumrb0y
Level 1
Level 1
In response to Julio Carvajal

‎10-02-2012 09:56 AM

Yes, I performed a 'clear xlate' - both local, global, and general, to no effect.

I wound up opening a TAC case for this and the tech indicated that I needed to do a 'clear conn' to reset the xlate to the new limits.

Marc

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to drumrb0y

‎10-02-2012 09:58 AM

Correct, clear conn is need it as well

And what was the result?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card