Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4638
Views
0
Helpful
3
Replies

set connection per-client-max

rtjensen4
Level 4
Level 4

‎08-12-2008 09:50 AM - edited ‎03-11-2019 06:30 AM

Hello,

I have an issue with some users that open up obsurd numbers of connections through the firewall at times due to filesharing, poorly written web apps, etc. I'd like to limit the number of connections per-host to say.. 100.

I've implemented the following configuration on a PIX515E running 7.2(4) and supporting about 100 users as a test before I implement it on our ASA5520s with 7.2(4) which support around 3000 users.

access-list limit-conns extended deny ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

access-list limit-conns extended deny ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0

access-list limit-conns extended permit ip 10.4.5.0 255.255.255.0 any

access-list limit-conns extended deny ip any any

class-map CONNS

match access-list limit-conns

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

inspect ils

inspect pptp

class CONNS

set connection per-client-max 75

service-policy global_policy global

It seems to be working, because from time-to-time I'll see the following messages in the syslog:

Aug 12 2008 11:53:22: %PIX-3-201013: Per-client connection limit exceeded 75/75 for input packet from 10.4.5.183/2351 to 67.192.167.5/80 on interface inside

I have a perl script that I created that will log into the firewall and parse the connection data so I have an idea of who has how many connections open... With the above config in place and even when I see the syslog message, I check the connection counts and see hosts with 150-ish connections at times.

From what I have read, the policy should enforce the 75 connection limit shouldn't it? Is there somthing I'm missing? THanks.

Labels:
0 Helpful
3 Replies 3

Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-12-2008 11:19 AM

I think the 75 is the limit for the connections 'initated' by the host and not the ones in which the initial SYN came from the other side (as in other hosts connecting to it). As per the Cisco Docs:

"A client is defined as the host that sends the initial packet of a connection (that builds the new connection) through the security appliance"

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1384541

do a "show conn det | inc " and see the FLAGS of the connections. (only valid for TCP). You will find some are initiated from the other side. If these hosts are on the inside, the outside-initated connections will have UIOB flag (B = Initated from Outside)

Regards

Farrukh

0 Helpful

rtjensen4
Level 4
Level 4
In response to Farrukh Haroon

‎08-12-2008 11:33 AM

Hello, Thanks for the reply. I have read the documentation and I'm glad I understand it the same way you do. Here's an example of what I'm looking at. THis host has 155 connections open, yet the flags do not indicate that the connection is outside-back

See the Attachment. Thanks!

Preview file
42 KB
0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to rtjensen4

‎08-12-2008 11:59 AM

See most of these connections have the FIN bit set (fF). They are just waiting to be removed I guess. I don't know what flags they check. Perhaps someone from the ASA dev/TAC team can shed light on this.

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card