TCP Connection limited to 30 ?

[netwalker1]

Dear All :
I am using PIX 525 with OS 7.2(2) and I noticed that the TCP number of session is limited to 30 only !

this is making a huge problem with our Systems ...

Any Advise ?

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[NetworkGhost]

Change it.


The connections limit can be changed by altering the max conns parameter on your translations. Can you post the static trans from your config?

http://www.wr-mem.com

 

[netwalker1]

I am using the default translation options for all the servers ...

static (inside,outside) Public IP Internal IP netmask 255.255.255.255

even more - I changed it to be

static (inside,outside) Public IP Internal IP netmask 255.255.255.255 tcp 500 400

Without a success ...

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[NetworkGhost]

How do you know the connections are being limited to 30?

http://www.wr-mem.com

 

[netwalker1]

the following Syslog message :

0.0.0.0 Unknown Error 27th Apr 2008, 07:59:59 %PIX-3-201011:
Connection limit exceeded 30/30 for inbound packet from <Public IP>/60798 to <my Email Server Public IP>/25 on interface outside


Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[netwalker1]

Also - by the old technique :
show conn | i <my Email Server Name>

and counting the output connections ...

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[NetworkGhost]

Do a "sh run policy-map" and see if there are any "set connection" settings enabled.

http://www.wr-mem.com

 

[NetworkGhost]

You could also see all the policy setting applied to a flow by doing the following

show service-policy flow tcp host <Public IP> host <my Email Server Public IP> eq 25



This will show you if there are any connection limits being applied to this particular flow.

http://www.wr-mem.com

 

[netwalker1]

the default map is applied ..
and there is nothing inside this policy more than the inspection default parameters

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[netwalker1]

Cisco Vendor asked me to upgrade the OS to 7.2(3) instead of 7.2(2) ...

They say that it's [red] Maybe [/red] a Bug !!!

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[BuckWeet]

Cisco has bugs?? NO way lol..

 

[netwalker1]

Tell now I didn't get any real response from Cisco TIC !
we are keep sending them emails - without a high qualified answer ... !

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[NetworkGhost]

Can you post a scrubbed config?

http://www.wr-mem.com

 

[netwalker1]

I think it has been solved ...

when we upgraded from 6.3 to 7.2
Their were a limitation on the Static Command with 30 connection ...

the command is not available now - but I beleive that the Upgrade hardened the Code in somewhere and the Configuration file is not ale to overcome this limitation anymore ...

anyway - I removed the STATIC Command for the server affected and I recreate the STATIC Commands again ...

and I am feeling that today I can open more than 30 sessions ...

I am waiting to check the SYSLOG Server to see if the SYSLOG messages still arriving to us or not ...



Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]