ASA 5550 NAT - %ASA-3-201011: Connection limit exceeded

drumrb0y · ‎10-02-2012

I've got an ASA 5550 running Software Version: 8.2(2);

I replaced two static NAT commands below with new commands to change the
connection limits:

no static (inside,outside) ggg.ggg.ggg.118 ppp.ppp.ppp.118 netmask 255.255.255.255 tcp 500 1000

static (inside,outside) ggg.ggg.ggg.118 ppp.ppp.ppp.118 netmask 255.255.255.255 tcp 5000 5000 

no static (inside,outside) ggg.ggg.ggg.229 ppp.ppp.ppp.229 netmask 255.255.255.255 tcp 1000 0 
static (inside,outside) ggg.ggg.ggg.229 ppp.ppp.ppp.229 netmask 255.255.255.255 tcp 5000 5000 ~~ However, I am still getting connection limit exceeded messages in the log:

Oct 02 2012 10:01:22: %ASA-3-201011: Connection limit exceeded 500/500 for inbound packet
from 169.139.16.2/59278 to ggg.ggg.ggg.118/443 on interface outside

Help! This is a mission-critical application that is being affected.

Thanks!

Message was edited by: Marc Chin

Julio Carvajal · ‎10-02-2012

Hello Marc,

Did you clear the xlate table?

Please do the following

Clear xlate local ggg.ggg.ggg.229

clear local-host ggg.ggg.ggg.229

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

drumrb0y · ‎10-02-2012

Yes, I performed a 'clear xlate' - both local, global, and general, to no effect.

I wound up opening a TAC case for this and the tech indicated that I needed to do a 'clear conn' to reset the xlate to the new limits.

Marc

Julio Carvajal · ‎10-02-2012

Correct, clear conn is need it as well

And what was the result?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC