cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

4410
Views
0
Helpful
3
Replies
Highlighted
Beginner

ASA 5550 NAT - %ASA-3-201011: Connection limit exceeded

I've got an ASA 5550 running Software Version: 8.2(2);
 
I replaced two static NAT commands below with new commands to change the
connection limits:

no static (inside,outside) ggg.ggg.ggg.118 ppp.ppp.ppp.118 netmask 255.255.255.255 tcp 500 1000 
static (inside,outside) ggg.ggg.ggg.118 ppp.ppp.ppp.118 netmask 255.255.255.255 tcp 5000 5000 

no static (inside,outside) ggg.ggg.ggg.229 ppp.ppp.ppp.229 netmask 255.255.255.255 tcp 1000 0 
static (inside,outside) ggg.ggg.ggg.229 ppp.ppp.ppp.229 netmask 255.255.255.255 tcp 5000 5000 ~~ However, I am still getting connection limit exceeded messages in the log: Oct 02 2012 10:01:22: %ASA-3-201011: Connection limit exceeded 500/500 for inbound packet from 169.139.16.2/59278 to ggg.ggg.ggg.118/443 on interface outside Help! This is a mission-critical application that is being affected.

Thanks!
 

Message was edited by: Marc Chin

3 REPLIES 3
Highlighted

Hello Marc,

Did you clear the xlate table?

Please do the following

Clear xlate local ggg.ggg.ggg.229

clear local-host  ggg.ggg.ggg.229

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

Yes, I performed a 'clear xlate' - both local, global, and general, to no effect.

I wound up opening a TAC case for this and the tech indicated that I needed to do a 'clear conn' to reset the xlate to the new limits.

Marc

Highlighted

Correct, clear conn is need it as well

And what was the result?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Content for Community-Ad