Re: Embryonic connection limit exceeded

imran.moulvi · ‎12-17-2010

Hello Experts,

We have been seeing the below logs quite frequently on our Perimiter firewall-

%ASA-6-201010: Embryonic connection limit exceeded 10000/10000 for inbound packet from x.x.x.x/49189 to y.y.y.y/443 on interface outside

We have the following NAT statement on our perimiter firewall which is used to NAT the IP of the VPN firewall.

static (VPN,outside) y.y.y.y y.y.y.y netmask 255.255.255.255 tcp 10000 10000

y.y.y.y= VPN firewall sitting in the Firewall "VPN" interface

x.x.x.x= Client connecting to SSLVPN.

Can any one advise why these logs are being generated. Does this mean there are more than 10000 embryonic connections open to y.y.y.y.

Thanks.

Imran.

Jennifer Halim · ‎12-17-2010

Yes, you are absolutely correct.

You have configured the TCP embryonic limit to 10000 based on the static NAT statement, and seems like it has reached that number, hence the syslog message. You might want to investigate why there has been 10,000 embryonic connections for that particular host, it could be a DOS attack.

imran.moulvi · ‎12-18-2010

Hello Jennifer,

Thank You for replying to my post.

Actually, we are seeing these logs for all the users that try to establish an SSLVPN connection to y.y.y.y.

SSLVPN Firewall Cisco ASA 5520(Outside Interface-y.y.y.y) ---> Perimiter Firewall Cisco ASA 5520("VPN" interface)---> Internet

I am not sure why that is happening. The source IP in my previous post was my own computer that I was testing with and that is a clean system.

%ASA-6-201010: Embryonic connection limit exceeded 10000/10000 for inbound packet from 76.104.4.121/2868 to y.y.y.y/443 on interface outside
%ASA-6-201010: Embryonic connection limit exceeded 10000/10000 for inbound packet from 76.104.4.121/2868 to y.y.y.y/443 on interface outside
%ASA-6-201010: Embryonic connection limit exceeded 10000/10000 for inbound packet from 76.104.4.121/2868 to y.y.y.y/443 on interface outside
%ASA-6-201010: Embryonic connection limit exceeded 10000/10000 for inbound packet from 68.196.44.165/49483 to y.y.y.y/443 on interface outside
%ASA-6-201010: Embryonic connection limit exceeded 10000/10000 for inbound packet from 68.196.44.165/49483 to y.y.y.y/443 on interface outside
%ASA-6-201010: Embryonic connection limit exceeded 10000/10000 for inbound packet from 68.196.44.165/49483 to y.y.y.y/443 on interface outside
%ASA-6-201010: Embryonic connection limit exceeded 10000/10000 for inbound packet from 69.86.248.64/1406 to y.y.y.y/443 on interface outside
%ASA-6-201010: Embryonic connection limit exceeded 10000/10000 for inbound packet from 69.86.248.64/1406 to y.y.y.y/443 on interface outside
%ASA-6-201010: Embryonic connection limit exceeded 10000/10000 for inbound packet from 69.86.248.64/1406 to y.y.y.y/443 on interface outside
%ASA-6-201010: Embryonic connection limit exceeded 10000/10000 for inbound packet from 67.82.219.206/1470 to y.y.y.y/443 on interface outside
%ASA-6-201010: Embryonic connection limit exceeded 10000/10000 for inbound packet from 67.82.219.206/1470 to y.y.y.y/443 on interface outside

I thought on an ASA by default, the embryonic connection timeout is 30 secs. We are seeing these logs on our perimiter firewall. Does this mean the embryonic connections are not timing out and are staying in the table causing these logs....if you can please clarify.

Thanks & Regards.

Kureli Sankar · ‎12-18-2010

Could you issue these two commands?

sh local y.y.y.y | i host|count/limit

and

sh conn | i y.y.y.y

You can see all the conns and their flags and idle time for each of them.

-KS