Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
0
Helpful
4
Replies

How to configure nconns econns with static command on IOS 5.1(2)

api
Level 1
Level 1

‎10-27-2002 03:59 AM - edited ‎03-09-2019 12:50 AM

Depending on the %PIX-3-201002 message I've tried to configure nconns.

using the following syntax:

static aaa.bbb.ccc.xxx aaa.bbb.ccc.xxx netmask 255.255.255.255 nconns econns

Unfortunately w/o any success. May somebody know how to do that.

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎10-27-2002 05:19 PM

What exactly is the problem here? Can you even enter the command and it then doesn't work the way you think it should, or are you getting some sort of syntax error when you type the command in?

The format is:

static (inside,outside) a.b.c.d a.b.c.d netmask 255.255.255.255 x y

where x is the maximum number of connections allowed through to the internal host, and y is the maximum number of half-open (incomplete TCP 3-way handshake) connections allowed through.

Of course your interfaces don't have to be "inside" and "outside" specifically, they can be whatever interfaces you have in the PIX.

0 Helpful

api
Level 1
Level 1
In response to gfullage

‎10-27-2002 10:19 PM

There is a MS-Exchange Server sending a growing bunch of mails, sometimes about 3000 a day. The server have more and more problems to deliver the Mail in time. SMTP log says "Unknown Host" at the same time PIX Syslog says "PIX-3-201002....".

I do not get syntax error. But if type "show xlate" nconns and econns will not be shown. When I type in show xlate count nothing happens no result just pix>.

Thank you for supporting me.

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to api

‎10-28-2002 03:23 PM

If you're getting the 201002 syslog message, then that means you've specified an econns/nconns limit on the static for that Exchange server. If you're overrunning that limit then why not just set them to "0" then there's no limit on the number of connections that server can use up.

A "sho xlate" will not show you the values for nconns and econns, you have to do a "sho static" for that, but that's really just showing you the static's you have defined in your configuration.

Try a "sho conn count" when the problem happens.

0 Helpful

api
Level 1
Level 1
In response to gfullage

‎10-29-2002 02:25 AM

thanks a lot. that's what I've done during the morning. I have also tested the new config sending a email to about 300 receipients without any problem. Do you think no limit for econns is dangerous in case of SYN attacks? Some commands like sho perfmon will not work with 5.1 (2) is that right?

Kindly regards,

Axel

0 Helpful
Customers Also Viewed These Support Documents