10-17-2013 09:56 AM - edited 03-11-2019 07:53 PM
I have a customer who ran into a situation the other day where one of their websites was down because it was receiving too many http POST requests, the POST requests filled the queue on their server and was timing out for other clients. Is there a way i am able to set up the asa so it will restrict how many connections are allowed per second/minute from one ip? Thanks in advance!
10-17-2013 10:20 AM
Hi,
Let me start of by saying that I have not played around with these settings that many times myself. I have usually set connection timeout values for certain connections more than use connection limits
Wonder if something along these lines would work
access-list WEB-SERVER-CONNECTIONLIMIT extended permit tcp any host
access-list WEB-SERVER-CONNECTIONLIMIT extended permit tcp any host
class-map WEB-SERVER-CONNECTIONLIMIT
match access-list WEB-SERVER-CONNECTIONLIMIT
policy-map global_policy
class WEB-SERVER-CONNECTIONLIMIT
set connection per-client-max
I am not sure but to my understanding the destination IP address you use in the ACL depends on your software. I am using 8.4(5) so I actually used the local IP address as the destination of the ACL even though the host was Static NATed to a public IP address
- Jouni
10-24-2013 01:55 PM
Thanks for the reply Jouni. I think I will have to give this a shot.
set connection per-client-max
Is per-client-max referring to how many times one ip is allowed to make connections? What would you recommend for the embyonic-max value?
Thanks!
10-24-2013 02:20 PM
Hi,
Yes, to my understanding the first one sets the connection limit for one source IP address.
As I said I have not used this configuration that much myself. But as the embryonic connection refers to a connection that hasn't fully formed then I would imagine this would not need to be very high value since there should not be that many connections from a single source IP address that have not fully formed. If there were it would most likely be a situation where the client was only sending TCP SYN to the target server with the intention to disrupt the server operation.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide