Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1025
Views
0
Helpful
3
Replies

Pix 515 -- Number of connections per host?

gavinfoster
Level 1
Level 1

‎04-13-2011 06:07 AM - edited ‎03-11-2019 01:20 PM

Hello Experts,

On my Pix515E ASDM console I quite often see large surges in the total number of connections. I would like to find a convenient way to see what (or who) is causing this.

The command Show Local gives the answers but it returns details of each connection and I can't see a way to omit the detail. Show Conn Count just gives the total. Ideally I would like to get a summary of the number of connections (TCP/UDP) for each inside host. Is this possible?

On a related matter I have used........

static (inside,outside) 12.34.56.00 2.34.56.00 netmask 255.255.255.0 tcp 400 100 udp 200 

..........to limit the number of connections to a subnet.

This works and I see errors in the syslog when the limit is exceeded but when I change the limits and apply the changes, the syslog errors still show the previous limit being reached. How can I make changes to these connection limits take effect (without reloading the Pix)?

Many thanks

Labels:
0 Helpful
3 Replies 3

Shrikant Sundaresh
Cisco Employee
Cisco Employee

‎04-13-2011 06:26 AM

Hi Gavin,

Could you tell us which version of PIX you are running? The later versions do have modifications to the show local-host command to filter unnecessary data. If you tell the version you are running, then i can look up what options are available to you.

Secondly, I think you can run the command "clear xlate" to clear existing xlates, instead of rebooting the PIX. However, existing connections will get disconnected for a moment. So I would suggest to do this when minimal traffic is passing through the PIX.

Hope this helps.

-Shrikant

0 Helpful

gavinfoster
Level 1
Level 1
In response to Shrikant Sundaresh

‎04-13-2011 06:47 AM

Hi Shrikant,

Thanks for your reply.

The pix version number is 8.0(3) but I have another unit which has 8.0(4) which I will be using in this role soon. ASDM is 6.0(3)

Does "Clear "Xlate" only clear NAT translations or all connections?  Most of my traffic is using public IP addresses and not NATted.

Many thanks

Gavin

0 Helpful

brquinn
Level 1
Level 1
In response to gavinfoster

‎04-13-2011 09:02 AM

Gavin,

An easy way to test would be to creat a connection through your pix and then run the 'clear xlate' command and see if the session drops. The short answer is no, the conns are not torn down. When you run the 'clear xlate' command existing connections stay up.

After making changes to your conn or embryonic conn limits in your static, you need to clear the xlate before the changes will take effect. Note that you can also change these limits in the MPF. This is now the preferred method and it can be configured to be much more granular.

Ex:

access-list tcp_acl permit tcp 10.1.1.0 255.255.255.0 any

access-list tcp_acl permit tcp 10.2.2.0 255.255.255.0 any

!

class-map tcp_class

match access-list tcp_acl

!

policy-map global_policy

class tcp_class

  set connection per-client-max 100 per-client-embryonic-max 50

Thanks,

Brendan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card