Solved: ASA and Concurrent Sessions

Andrej Zverev · ‎11-16-2012

Hi, I have a question about some of the parameter for the ASA.

For example in Cisco ASA 5540 Adaptive Security Appliance Platform Capabilities and Capacities, I see Concurrent Sessions: 400,000

Which mean what device can handle 400,000 session and no more.

But if I'm using TCP State Bypass Feature (Inbound traffic pass via ASA but Outbound goes via different device). I can see such connections via show conn command with b flag.

My questions:

1. Will this limit (Concurrent Session) affect in this case? Or ASA can handle more such connections (for example 800,000 ...) in bypass state?

2. It's possbile to tune timeout for such connection without using global timeout conn?

My problem what I want to do by pass tcp connection for one IP with has very high connection/sec rate.

Please help :-)

Marcin Latosiewicz · ‎11-16-2012

Andrej,

To answer your question, I doubt you will be able to get 2x more concurrent connections. You might get a bit more than advertised, but we do put those limits in for a reason (mostly to basline what is a reasonable amount).

Looks like you're looking also to stress conn/sec rather than concrurrent ones.

The resources of a device regardless how it operates are always finite.

RAM, memory blocks/buffers, CPU are what is most likely to run out (no in any particular order).

1) We will most likely not support such a scenario.

2) Yes from MPF.

What I would suggest is to discuss this with your system engineer, like any sizing discussion (also to understand whether ASA is the best device for what you're trying to achieve).

They might reach out to BU to check what we will or will not support.

M.

View solution in original post

Marcin Latosiewicz · ‎11-16-2012

Andrej,

To answer your question, I doubt you will be able to get 2x more concurrent connections. You might get a bit more than advertised, but we do put those limits in for a reason (mostly to basline what is a reasonable amount).

Looks like you're looking also to stress conn/sec rather than concrurrent ones.

The resources of a device regardless how it operates are always finite.

RAM, memory blocks/buffers, CPU are what is most likely to run out (no in any particular order).

1) We will most likely not support such a scenario.

2) Yes from MPF.

What I would suggest is to discuss this with your system engineer, like any sizing discussion (also to understand whether ASA is the best device for what you're trying to achieve).

They might reach out to BU to check what we will or will not support.

M.

Andrej Zverev · ‎11-17-2012

Thank you for your answers! Very useful information for me.

Relatively to conn/sec and concurrent. My idea was next. If ASA can't while TCP session (in bypass mode),

it will close it via timeout, but with high conn/sec rate we will hit concurrent limit rather than CPU, mbufs.

MPF might help to minimize timeout, but whole idea really need to be discussed first.

Thanks again!