Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1396
Views
0
Helpful
1
Replies

Connection Numbers Don't add up

petes
Level 1
Level 1

‎06-14-2011 08:56 AM - edited ‎03-11-2019 01:44 PM

I have a monitoring rule that checks the number of connections on the firewall using the following command:

show conn count

My results are always between 3,000 and 9,000.

A while back, I had an issue where all 130,000 connections were being used up.  I configured a service policy to limit the number of connections between any two end points.

The commands I used were:

     class-map CONNS

      match any

     policy-map global_policy

      class CONNS

       set connection per-client-max 20000 per-client-embryonic-max 20000

I'm monitoring the error logs and I'm noticing that my connection limit rule is being triggered on a regular basis.  I receive the following message

     Per-client connection limit exceeded 20000/20000 for output packet from x.x.x.x to x.x.x.x on interface outside

I'm confused as to the difference between the connections limited by my rule and the connections shown by "show conn count".  Can anybody explain the difference between these connection metrics and why I never see any connections higher than 9,000 using "show conn count" yet I am seeing alerts stating that the firewall has reached 20000 connections?

My firewall is an ASA5510 running

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)51

Thanks,

Labels:
0 Helpful
1 Reply 1

Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎06-15-2011 02:33 PM

Hi Pete,

The next time you receive this log message, could you please check the outputs of:

show local-host x.x.x.x

for both the source and destination mentioned in the log message?

You should see the number of TCP, embryonic-TCP and UDP connections for that host.

If the command does not give the above output then try adding "detail" or "all" to the same command.

I am not sure, but I think "show conn count" shows only the acive connections count, and may not be counting the embryonic connections.

However, the show local-host command should confirm if the 20k limit is being exceeded or not.

Hope this helps.

-Shrikant

P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card