Solved: ASA5545 connection table exhausting (long term)

Mark Elsen · ‎02-20-2013

- ASA5545 : Software Version 8.6(1)2

Connection table (cfwConnectionStatValue) gradually increases and never goes down. Upon 750000

connections, user activity is hampered and the box claims that it can not support more connections.

Is there a remedy ?

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Jouni Forss · ‎02-21-2013

Hi,

I think on the ASDM side you can go to the "Home" window and a little bit below you will see the "Tabs" called "Device Dashboard" which is selected by default and "Firewall Dashboard" that you should go to.

It has other statistics and on the lower right hand corner there is an option to go through different Top statistics.

I have a vague memory that this might cause performance issues in worst case. But it should probably be the easiest way to get information through the ASDM

Otherwise you just have to monitor the "show conn" , "show conn count" , "show conn long" , "show local-host" and other similiar command outputs to gather information.

- Jouni

View solution in original post

Jouni Forss · ‎02-20-2013

Hi,

Have you made changes to the default "timeout" values shown with the command "show run timeout" ?

Is there some host on the network that is generating so much connections that its eating up the ASA resources.

I have witnessed a couple of times a single host generating so much connections/traffic that it has exhausted the set connection limit of the ASA (Though in this case a bit lower end model of ASA)

- Jouni

Mark Elsen · ‎02-21-2013

>Is there some host on the network that is generating so much connections that its eating up the ASA resources ?

Tx, is there a way in ASA, command line, or device mgr, which can show me the 'top-connecting' hosts

(so to speak).

Marc.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Jouni Forss · ‎02-21-2013

Hi,

I think on the ASDM side you can go to the "Home" window and a little bit below you will see the "Tabs" called "Device Dashboard" which is selected by default and "Firewall Dashboard" that you should go to.

It has other statistics and on the lower right hand corner there is an option to go through different Top statistics.

I have a vague memory that this might cause performance issues in worst case. But it should probably be the easiest way to get information through the ASDM

Otherwise you just have to monitor the "show conn" , "show conn count" , "show conn long" , "show local-host" and other similiar command outputs to gather information.

- Jouni

Mark Elsen · ‎02-21-2013

Tx, it turns out, that during initial setup of the firewall, some rules had the 'service policy' setup set to

infinite TCP timeouts for app-debugging. We are now reviewing the service policy rules and making

corrections were needed.

Marc.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)