Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
854
Views
0
Helpful
3
Replies

Conception problem of max connection and maximum per client

Machi Ma
Level 1
Level 1

‎03-11-2015 10:56 PM - edited ‎03-11-2019 10:37 PM

Hello,

Some conception about connection max and max per client.  Following example say inside network is 100.100.100.0/24 and now limit the connection for each connecting from OUTSIDE

----

access-list conns-traffic extended permit ip any 100.100.100.0 255.255.255.0

class-map conns
 match access-list conns-traffic

policy-map conns-policy
 class CONNECTIONS
  set connection per-client-max 20 per-client-embryonic-max 10
  set connection conn-max 1000 embryonic-conn-max 500

service-policy conns-policy interface OUTSIDE

----

> set connection per-client-max 20 per-client-embryonic-max 10

Q1. That means each Internet clients can create max 20 connection and 10 embryonic connection into EACH client of inside network?

> set connection conn-max 1000 embryonic-conn-max 500

Q2. That means the maximum connection can establish to EACH client of inside network is 1000 and embryonic connection is 500?

 

Thanks!

 

Labels:
0 Helpful
3 Replies 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎03-12-2015 12:08 AM

Hi,

As per the 1st query , That means each Internet clients can create max 20 connection and 10 embryonic connection into EACH client of inside network?

Partially correct. This means that each internet client would be able to create 20 Connections at max to the complete inside network and same for embryonic connections.

2nd query:- Total 1000 connections would be allowed from 'ANY' ip address to the Internal Network and not for each client. Same will be for the embryonic limit.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Machi Ma
Level 1
Level 1
In response to Vibhor Amrodia

‎03-12-2015 12:56 AM

Hi,

Thanks.

Another conception question is one of parameter from threat-detection called 'syn-attack'.  From some material saying that embryonic-conn-max  or per-client-embryonic-max can protect some syn-flood attack.

Does two of them have some conflict? or they can cover either them?

Thanks!

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Machi Ma

‎03-12-2015 01:06 AM

Hi,

These "syn-attack" messages mostly appear when you receive these messages on the syslog:-

%ASA-6-302014 syslog with teardown reason of "SYN Timeout"

If you limit the number of embryonic on the per client basis , it would be more effective but than you have to come up with a number as per your environment.

You can also apply the complete Device limit with embryonic-conn-max and obviously the number would be much higher.

Thanks and Regards,

Vibhor Amrodia

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card