Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1968
Views
0
Helpful
4
Replies

manage TCP connections

ConnexCenter
Level 1
Level 1

‎05-24-2012 02:38 AM - edited ‎03-07-2019 06:52 AM

Hello,

I'm for a solution to the following problem:

Soon i'll have about 15k devices that connect to my company each using a TCP connection to verify that the devices and connections are still functioning properly. Each device will connect every few minutes. To reduce the load on the server I'd like to limit the amount of TCP connections per device per minute.

Is this possible with a router?

Which series of routers will I be looking at? (since i'm pretty sure this isn't possible/viable on a small buisiness router)

Is it better to keep the TCP connection alive or to terminate it after it's done (short and low bandwidth connections)?

Labels:
0 Helpful
4 Replies 4

Sergey Fer
Level 1
Level 1

‎05-24-2012 03:12 AM

It was a rather old function called TCP Intercept. You may use it.

Then it was converted into CBAC (Content-based Access Control). It is also applicable.

Now it is ZBF (Zone-based Firewalling). It is most modern and you also may use it.

You need ISR or ISR G2 with Advanced Security IOS (or Security license) and appropriate perfomance.

Killing or retaining TCP session is based on your application, I think.

0 Helpful

ConnexCenter
Level 1
Level 1
In response to Sergey Fer

‎05-25-2012 02:21 AM

I checked out ZBF and it looks like it's only capable of terminating  half open connections, but not preventing new connections from the same  IP without affecting connections from other IPs.

0 Helpful

Sergey Fer
Level 1
Level 1
In response to ConnexCenter

‎05-25-2012 10:27 AM

You should use config like this

parameter-map type inspect TCP_PARAMS

     one-minute high 100

     one-minute low 10

class-map type inspect TCP

     match ...

policy-map type inspetc TCP_POLICY

     class type inspect TCP

          inspect tcp TCP_PARAMS

and apply it to zone-pair. It will not work per host, but you may restrict an overall number of connections per minute for a group of hosts (configuring match statement in class-map).

0 Helpful

ConnexCenter
Level 1
Level 1
In response to ConnexCenter

‎05-29-2012 12:10 AM

I'll give you some background.

I'm working for an independant alarm central/control room.

Soon providers will stop with analog connections so we'll have to switch all devices to IP.

We want to use this transition to improve our service (end-to-end test happens now standard once every day) to end-to-end tests every 5 min. But alarm devices are known to have a technical hick-up once in a while which makes them to try to connect more then they should. Which may put the server under (too much) stress.

It's not possible to limit the total amount of tcp connections since if a few are acting up, the amount of tcp connections will be saturated and a real alarm might be dropped.

At this moment I gave up on the idea of being able to do that on the router (which would have saved costs), but now I'm looking if it's possible with Snort

0 Helpful
Customers Also Viewed These Support Documents