02-03-2023 03:21 PM - edited 02-03-2023 03:22 PM
(I searched this at Cisco & Google without satisfaction)
Hello. I am troubleshooting symptom of sftp communication from internal server not reaching www address.
I see in 4431 Router logs...
*Feb 3 21:12:12.019: %HTTP-4-SERVER_CONN_RATE_EXCEED: Number of connections per minute has exceeded the maximum limit(500)as specified by the platform.
*Feb 3 21:12:12.019: %HTTP-4-SERVER_CONN_RATE_EXCEED: Number of connections per minute has exceeded the maximum limit(500)as specified by the platform.
*Feb 3 21:12:12.020: %HTTP-4-SERVER_CONN_RATE_EXCEED: Number of connections per minute has exceeded the maximum limit(500)as specified by the platform.
*Feb 3 21:12:12.021: %HTTP-4-SERVER_CONN_RATE_EXCEED: Number of connections per minute has exceeded the maximum limit(500)as specified by the platform.
*Feb 3 21:12:12.022: %HTTP-4-SERVER_CONN_RATE_EXCEED: Number of connections per minute has exceeded the maximum limit(500)as specified by the platform.
*Feb 3 21:12:27.022: %HTTP-4-SERVER_CONN_RATE_EXCEED: Number of connections per minute has exceeded the maximum limit(500)as specified by the platform.
*Feb 3 21:12:27.022: %HTTP-4-SERVER_CONN_RATE_EXCEED: Number of connections per minute has exceeded the maximum limit(500)as specified by the platform.
*Feb 3 21:12:27.024: %HTTP-4-SERVER_CONN_RATE_EXCEED: Number of connections per minute has exceeded the maximum limit(500)as specified by the platform.
*Feb 3 21:12:27.025: %HTTP-4-SERVER_CONN_RATE_EXCEED: Number of connections per minute has exceeded the maximum limit(500)as specified by the platform.
*Feb 3 21:12:27.027: %HTTP-4-SERVER_CONN_RATE_EXCEED: Number of connections per minute has exceeded the maximum limit(500)as specified by the platform.
1. What typically causes this situation?
2. Might this be related to the root cause of my troubleshoot symptom?
Thank you.
Solved! Go to Solution.
02-07-2023 07:01 AM
I'm placing access lists on interfaces and verifying they are being hit by the interesting traffic. This troubleshooting technique is yielding success.
I have CONFIRMED the interesting traffic is entering the 4431 incoming int.
02-03-2023 03:27 PM
02-03-2023 03:42 PM
Thank you for your helpful reply.
1b. What is most likely causing this torrent of connections?
2b. Are these only vty/ssh connections to this 4431 router?
3b. Why would so many attempts be made to this device?
The literature instructs remediation by inserting an ACL. OK. 4b. What will the result be of this ACL?
5b. Might this ACL suddenly break a production critical process?
Thank you.
02-03-2023 03:47 PM
are you enable HTTP in Router ??
02-03-2023 04:08 PM
I know very little about this device. It lives between ASA-5525 and www.
I only know traffic is lost leaving LAN, somewhere between...
ASA-5525 inside interface after ACL permit statement is hit, and www VENDOR1= 2.2.2.2
(Traffic fails before reaching 2.2.2.2)
02-04-2023 01:02 AM
Hello,
I am not sure the SFTP to WWW problem you are experiencing is related to the log messages. The HTTP server functionality of the router is aimed at administering the router through a web interface. You could try and use a non-standard port, e.g.:
ip http server
ip http port 8001
to see if that reduces the log messages (and effectively the number of connections).
With regard to your issue:
--> I am troubleshooting symptom of sftp communication from internal server not reaching www address.
Is the connection slow, are there timeouts ? In order to troubleshoot this, you would need access to the router. It might just be that the router (interface) is saturated.
02-05-2023 03:25 AM
I dont know troubleshooting, but you can use capture in ASA, to see if the packet is reach or not the ASA.
02-05-2023 01:17 PM
this link for capture traffic in ASA
02-05-2023 02:45 PM
The ASA LAN-interface-in ACL registers permit hits for this circuit.
There is no ACL on the outside interface.
Thus, is it still possible that traffic is not leaving this ASA for this circuit?
02-05-2023 02:50 PM
share
show local-host x.x.x.x <<- x.x.x.x is the IP address of destination
02-05-2023 03:41 PM
5525ASA# show local-host 2.2.2.2
Interface ONE: 1 active, 7 maximum active, 0 denied
Interface TWO: 1 active, 1 maximum active, 0 denied
Interface management: 0 active, 0 maximum active, 0 denied
Interface dmz: 24 active, 257 maximum active, 0 denied
Interface Inside: 378 active, 133543 maximum active, 0 denied
Interface Outside: 1798 active, 41512 maximum active, 0 denied
Interface FAILOVER: 1 active, 1 maximum active, 0 denied
Interface EIGHT: 0 active, 2 maximum active, 0 denied
Interface any: 0 active, 0 maximum active, 0 denied
02-05-2023 03:47 PM
5525ASA# show local-host 2.2.2.2 detail <<- please share the output after add detail
02-05-2023 03:57 PM
"5525ASA# show local-host 2.2.2.2 detail <<- please share the output after add detail "
-output is identical to 5525ASA# show local-host 2.2.2.2
02-05-2023 03:53 PM
The only device left is an 4431 ISR between the ASA and the www.
4431#sh run | inc access-gr
4431#sh run | inc access gr
4431#
... tells me there are no ACLs on the interfaces. Yes there are ACLs on the device. I don't know what they map to.
What is the next troubleshoot step here?
Thank you!
02-05-2023 03:59 PM - edited 02-05-2023 04:01 PM
there are two FW as I get from your previous comment
one Zone Firewall <<- show policy-map type inpsect zone-pair <x-y>
one ASA <<- show local-host x.x.x.x detail (optional you can add connection keyword
show conn x.x.x.x <<- this give hint about tcp or udp traffic pass through ASA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide