Hi,

We have the following policy on a firewall to limit the maximum number of connections:

policy-map global_policy

class HTTP

  set connection conn-max 2250 embryonic-conn-max 100 per-client-max 20 per-client-embryonic-max 5

  set connection timeout half-closed 0:05:00 idle 0:05:00

If we look in the logs we see that connections are being dropped because of this:

Feb 05 2014 12:33:12: %ASA-3-201011: Connection limit exceeded 2250/2250 for input packet from x.x.x.x/63257 to x.x.x.x/80 on interface outside

Feb 05 2014 12:33:12: %ASA-3-201011: Connection limit exceeded 2250/2250 for input packet from x.x.x.x/53429 to x.x.x.x/80 on interface outside

Feb 05 2014 12:33:12: %ASA-3-201011: Connection limit exceeded 2250/2250 for input packet fromx.x.x.x/48613 to x.x.x.x/80 on interface outside

And these show true if we look at the service policy

XXXX# show service-policy global

Global policy:

  Service-policy: global_policy

    Class-map: HTTP

      Set connection policy: conn-max 2250 embryonic-conn-max 100 per-client-max 20 per-client-embryonic-max 5

        current embryonic conns 2, current conns 2250, drop 15870337

      Set connection timeout policy:

        half-closed 0:05:00 idle 0:05:00

        DCD: disabled, retry-interval 0:00:15, max-retries 5

        DCD: client-probe 0, server-probe 0, conn-expiration 0

However the connections on the firewall and servers aren’t high

xxxxx# show conn count

529 in use, 2485 most used

Can anyone explain why this is, not sure if it is bug or is normal expected behavour. Is this "current conns" figure meant to corresond to the firewall conns, or is taking from something else? I guess they only way to remove this is to remove and re-add the policy, just wanted to get peoples thoughts on it or see if I was missing something.

This is on an ASA5510 running Software Version 8.2(5)41

Thanks