set connection per-client-max
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2008 09:50 AM - edited 03-11-2019 06:30 AM
Hello,
I have an issue with some users that open up obsurd numbers of connections through the firewall at times due to filesharing, poorly written web apps, etc. I'd like to limit the number of connections per-host to say.. 100.
I've implemented the following configuration on a PIX515E running 7.2(4) and supporting about 100 users as a test before I implement it on our ASA5520s with 7.2(4) which support around 3000 users.
access-list limit-conns extended deny ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list limit-conns extended deny ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
access-list limit-conns extended permit ip 10.4.5.0 255.255.255.0 any
access-list limit-conns extended deny ip any any
class-map CONNS
match access-list limit-conns
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect ils
inspect pptp
class CONNS
set connection per-client-max 75
service-policy global_policy global
It seems to be working, because from time-to-time I'll see the following messages in the syslog:
Aug 12 2008 11:53:22: %PIX-3-201013: Per-client connection limit exceeded 75/75 for input packet from 10.4.5.183/2351 to 67.192.167.5/80 on interface inside
I have a perl script that I created that will log into the firewall and parse the connection data so I have an idea of who has how many connections open... With the above config in place and even when I see the syslog message, I check the connection counts and see hosts with 150-ish connections at times.
From what I have read, the policy should enforce the 75 connection limit shouldn't it? Is there somthing I'm missing? THanks.
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2008 11:19 AM
I think the 75 is the limit for the connections 'initated' by the host and not the ones in which the initial SYN came from the other side (as in other hosts connecting to it). As per the Cisco Docs:
"A client is defined as the host that sends the initial packet of a connection (that builds the new connection) through the security appliance"
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1384541
do a "show conn det | inc
Regards
Farrukh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2008 11:33 AM
Hello, Thanks for the reply. I have read the documentation and I'm glad I understand it the same way you do. Here's an example of what I'm looking at. THis host has 155 connections open, yet the flags do not indicate that the connection is outside-back
See the Attachment. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2008 11:59 AM
See most of these connections have the FIN bit set (fF). They are just waiting to be removed I guess. I don't know what flags they check. Perhaps someone from the ASA dev/TAC team can shed light on this.
Regards
Farrukh
