cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7632
Views
0
Helpful
4
Replies

cicsco asa clarification regarding show local host

secureIT
Level 4
Level 4

Hi Team,

we are observing the no. of conn thru asa 5580 is getting increased and one a fine day it will stop sending/receiving traffics.

firewall# show conn count

1900000 in use, 2000008 most used


As per the datasheet of this asa, the max conns permissible is 2 million (20 lacs). and the output shows that currently 1900000 connections are there and 2million+8 connections are most used.

when i run " show local-host | include host|count/limit ", below are the outputs showing for max connections..

local host: <172.x.x.x>,

    TCP flow count/limit = 35857/unlimited

    TCP embryonic count to host = 25

    UDP flow count/limit = 0/unlimited

local host: <DC01>,
    TCP flow count/limit = 306/unlimited
    TCP embryonic count to host = 8
    UDP flow count/limit = 736807/unlimited


local host: <DC02>,
    TCP flow count/limit = 246/unlimited
    TCP embryonic count to host = 2
    UDP flow count/limit = 582010/unlimited


local host: <172.y.y.y>,
    TCP flow count/limit = 1/unlimited
    TCP embryonic count to host = 0
    UDP flow count/limit = 308412/unlimited

These are the top 4 connections, i wonder should we consider only the tcp flow count or udp as well ??

4 Replies 4

mirober2
Cisco Employee
Cisco Employee

Hi Rajesh,

Both TCP and UDP connections should be counted.

-Mike

Hi Mike,

Could you pls help in identifying the geniune connections ? is there any combination of flags or something to be executed in show conn command in order to identify the fake or unwanted connections...is there any way to proceed further?

any help ?????

Hi,

I have had to deal with a similiar problem only 2-3 times. And it was always a "contaminated" computer/server.

In the latest case a single server in an environment with ASA5540 was pushing so many connections that it reached the maximum connections for that ASA model (400 000)

First I would start checking what connections are beeing formed from the host that you listed above. I guess you should usually see some sort of well known port used for any service thats needed. Might also help if there was someone there that knows exactly what connections your servers etc. are supposed to handle.

How many hosts are there in your network?

What has been the normal trend with the connection count before you ran into this problem?

How did you notice this problem? Connections werent being formed through the ASA?

What have you done so far regarding this problem?

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: