02-08-2012 06:55 AM - edited 03-11-2019 03:26 PM
Hi everybody,
In my Cisco ASA 5510 in release 8.2, I have an extrage behavior in the output of "show service-police" command. The issue is that I create a class-map to limit trafic in one of ASA interfaces and I applied in a service policy. This is the configuration:
access-list ACL-Limitada extended permit ip host srv-proxy any
access-list ACL-Limitada extended permit ip any host srv-proxy
access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp-data
access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp
access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp-data
access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp
class-map Limit-Trafico-DMZ
description "Limitar el ancho de banda de trafico de internet DMZ"
match access-list ACL-Limitada-DMZ
policy-map global_policy_DMZ
class inspection_default
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ftp
inspect pptp
inspect icmp
inspect dns preset_dns_map
inspect ip-options
inspect esmtp
class Limit-Trafico-DMZ
set connection per-client-max 100 per-client-embryonic-max 30
police output 2000000
police input 2000000
service-policy global_policy_DMZ interface dmz
Everything seems working correctly, but the output of "show service-policy" shows me a very big number of current connections in negative format:
Interface dmz:
Service-policy: global_policy_DMZ
Class-map: inspection_default
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: http, packet 2534891, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: pptp, packet 0, drop 0, reset-drop 0
Inspect: icmp, packet 0, drop 0, reset-drop 0
Inspect: dns preset_dns_map, packet 15700, drop 3, reset-drop 0
Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
Class-map: Limit-Trafico-DMZ
Set connection policy: per-client-max 100 per-client-embryonic-max 30
current conns -22077, drop 18270
Output police Interface dmz:
cir 2000000 bps, bc 62500 bytes
conformed 33185594 packets, 2963990821 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 41432 bps, exceed 0 bps
Input police Interface dmz:
cir 2000000 bps, bc 62500 bytes
conformed 42439891 packets, 50791684448 bytes; actions: transmit
exceeded 1595688 packets, 2261211961 bytes; actions: drop
conformed 446136 bps, exceed 0 bps
I couldn't find information about that behavior. Does anybody have experience in an issue like that.
Thanks everybody
Solved! Go to Solution.
08-26-2013 09:35 AM
CSCtl23397 ASA may log negative values for Per-client conn limit exceeded messg
Sent from Cisco Technical Support iPad App
08-26-2013 09:51 AM
Hello,
Thank you for pointing out that bug ID, I will make a fast upgrade to the last interim of 8.2.5 (I am currently running official version 8.2.5).
BR,
Bogdan
02-08-2012 07:56 AM
Hi,
Well, you put "per client max" That means that each client (local-host) will be able to make 100 connections, that means that you will be able to do around 25000 connections (since you have a class "C" network define on the ACL that matches the class map)
If you want just limit it to 100 overall you can use "conn-max" instead of per client max.
Hope this helps.
Mike
08-26-2013 03:56 AM
Hello,
Well, but the real question was about the negative connections number .... What does it mean?
I had also a negative connection number shown in "show service-policy" and it seems that the ASA was dropping all the connections. After removing and re-applying the classmap, the traffic was OK:
"
Class-map: HTTP_www.bnr.ro
Set connection policy: conn-max 3000 embryonic-conn-max 50 per-client-max 20 per-client-embryonic-max 10
current embryonic conns 0, current conns -72, drop 50770
"
08-26-2013 07:10 AM
I don´t know what does it mean. In fact only you seems having same issue.
08-26-2013 07:21 AM
Hello,
Either that (we are the only two people affected by this) or the others ignored this issue.
Thanks,
Bogdan
08-26-2013 09:35 AM
CSCtl23397 ASA may log negative values for Per-client conn limit exceeded messg
Sent from Cisco Technical Support iPad App
08-26-2013 09:51 AM
Hello,
Thank you for pointing out that bug ID, I will make a fast upgrade to the last interim of 8.2.5 (I am currently running official version 8.2.5).
BR,
Bogdan
08-27-2013 02:54 AM
Thanks Shaoqin Li,
after more than one year somebody answer with the exact issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide