Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
0
Helpful
5
Replies

throttling a runaway host

tim.metzinger
Level 1
Level 1

‎06-22-2009 04:34 PM - edited ‎03-11-2019 08:46 AM

We've got a security server running Retina that recently ran away and opened up tens of thousands of connections through our Pix 515E to devices it's supposed to scan. This caused memory on the PIX to run low, caused dropped connections on other sessions running through the pix, and generally made life unhappy. Quick solution was to unplug the server from the net, run a clear xlate, and put in a new access list with a line "deny ip host <server ip> any" in it to prevent it from reaching out again.

What I'm wondering is:

Is there a way to limit the number of TCP connections that particular host can initiate through the firewall?

Is there a way to clear ONLY the connections that host has opened, rather than the "clear xlate" command which kills ALL the sessions running through the firewall? The SA's and DBA's get annoyed when all their SSH sessions drop.

PIX OS is 6.3.5(125)

Labels:
0 Helpful
5 Replies 5

dhananjoy chowdhury
Level 5
Level 5

‎06-22-2009 09:24 PM

On PiX running 6.3, you can do it using the options max_conns /emb_limit of the static command.

But pix6.3 does not verify the TCP checksum of packets transiting through the firewall. It holds the half-open TCP connection open until the embryonic timeout in 2mins.

Because the firewall is holding a connection open, any additional packets with the same protocol, IP addresses, and ports will be treated as part of the existing half-open connection. In this case, a legitimate SYN packet following the malformed SYN will be discarded because it is outside of the window of acceptable sequence numbers established by the malformed packet.

However, if you upgrade to 7.0 or above then you can try something like this to check for tcp connections coming on any interface of the PIX.

access-list TCP-ACL permit tcp any any

class-map TCPX

match access-list TCP-ACL

policy-map global_policy

class TCPX

set connection conn-max 500

set connection embryonic-conn-max 200

set connection timeout embryonic 0:00:10

service-policy global_policy global

-------------------

You can refer this doc.

http://www.cisco.com/warp/public/707/cisco-sr-20051128-pix.shtml

Hope this helps.

0 Helpful

svaish
Level 1
Level 1

‎06-23-2009 01:42 AM

Please refer to this link.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

Regards,

Sachin

sachin67007@gmail.com

0 Helpful

tim.metzinger
Level 1
Level 1
In response to svaish

‎06-23-2009 02:45 AM

An upgrade to 7.x or later is not an option at this time. And I don't know if the static command will work - keep in mind that the host here is INSIDE one firewall, reaching out to hosts outside that firewall and inside another. I'm trying to stop it at the inside interface of the first firewall.

0 Helpful

svaish
Level 1
Level 1
In response to tim.metzinger

‎06-23-2009 04:02 AM

You can use

clear xlate local ip_address command

0 Helpful

tim.metzinger
Level 1
Level 1
In response to svaish

‎06-23-2009 04:03 AM

Thanks - that appears to work - I'm going to test the procedure today.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card