12-26-2013 12:41 PM - edited 03-11-2019 08:22 PM
Hello-
I have setup a class-map to limit the number of connections for each separate contexts. I'm seeing an issue after applying it where the threshold is exceeding: "Drop-reason: (rm-conn-limit) RM connection limit reached"; however, the show resource usage shows the current and peak is no way near reaching the limit, only showing a couple of connections.
Version 9.1(4)
class default
limit-resource All 0
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
limit-resource Conns 0
class FW-GEN
limit-resource Conns 300000
class FW-EC
limit-resource Conns 300000
class FW-MAIN
limit-resource Conns 300000
class FW-MARK
limit-resource Conns 300000
class FW-PCI
limit-resource Conns 300000
class FW-BUBBLE
limit-resource Conns 100000
class FW-LAB
limit-resource VPN Other 10
limit-resource Conns 300000
Resource Current Peak Limit Denied Context
SSH 1 2 5 0 admin
ASDM 0 4 5 0 admin
Conns 3 7 unlimited 0 admin
Hosts 3 7 unlimited 0 admin
Inspects [rate] 0 7 unlimited 0 admin
Routes 2 2 unlimited 0 admin
Conns 0 40 99000 0 BUBBLE
Hosts 0 32 unlimited 0 BUBBLE
Conns [rate] 0 125 unlimited 0 BUBBLE
Inspects [rate] 0 25 unlimited 0 BUBBLE
Mac-addresses 0 2 65535 0 BUBBLE
SSH 0 2 5 0 LAB
Syslogs [rate] 0 147 unlimited 0 LAB
Conns 2 178 299000 22830 LAB
Xlates 3 423 unlimited 0 LAB
Hosts 3 72 unlimited 0 LAB
Conns [rate] 0 250 unlimited 0 LAB
Inspects [rate] 0 67 unlimited 0 LAB
Routes 9 10 unlimited 0 LAB
Other VPN Sessions 43 45 10 2 LAB
Other VPN Burst 0 1 0 0 LAB
Packet-Tracert input inside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rm-conn-limit) RM connection limit reached
Is there anything else I can check to see why the connection limit is being reached?
12-29-2013 12:36 PM
Hi
Has to be a new/Existing bug.
Please send me a message, if you need to solve this right away, go ahead and open a ticket.
Mike
02-04-2016 02:30 AM
I am having the exact same problem with ASA 5555 9.4, any updates on this?
02-22-2016 12:55 AM
- Make sure you have upgraded to the latest version of ASA, SFR and FMC versions
- Make sure you do not have have not set unlimited connection timeouts on the Inside-Interface
- Make sure you have left Inside-Interface Per-client-max = 0 (default) , Per-client-embryonic-max = 0 (default) and Idle= 0 (default)
That Solved the Problem For me!
12-29-2013 09:45 PM
limit on conn resources depend upon which hardware model you are using
this (http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wpxref10155 ) shows table per hardware.
I am also interested to know if this is bug in the OS.
JD...
12-30-2013 08:22 AM
I have opened up a ticket. I'll keep everyone posted on the findings.
The ASA hardware is a pair of 5585x SSP40 and it's not in production. We are only testing this in the LAB using multi context with a policy to restrict the number of connections so in case where one context gets overwhelmed, it won't affect the others. Looking for a simple class policy to apply to each context.
Thanks,
John
12-30-2013 09:14 AM
Looks like a new one. I found the ticket. Will keep an eye on it.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide