How many connections is too many?

We have a Sonicwall TZ180 running at our primary site.  The site is our "primary" site because it hosts our e-mail.  We have a Barracuda Spam 300 scanning all incoming mail.  All users outside of this office (we have two other offices) access e-mail via RPC over HTTP.  I am the only one with remote access ability.  Recently, I've noticed that sometimes, the users can get out, but I cannot get in.  That is, everyone within this office can access the Exchange server, network files, and the Internet without a hitch, but at our other two sites, users cannot access their e-mail and I cannot remote in.  I had one of my trusted users log in to the Sonicwall today and she said it was showing 370 connections.  After resetting the device, all was well.  I'm assuming these are incoming connections?  If so, what's a "good" number and what's a "bad" number?  Are these attacks from the outside?  Is there anything I can do to circumvent this problem?

LVL 1
RLLSTechAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

HMSTNCommented:
To save you a lot of hassle and headaches, try to sell or get rid of the sonicwall and pick up a cisco pix 500.  It will save you from having to reset the firewall.  We have clients with sonicwall firewalls and anytime a user cannot connect its b/c it needs to be reset.  The cisco firewalls that our clients have, have no problem.  Sorry for not answering the direct question.
0
Hugh FraserConsultantCommented:
According to the specs, 370 connections shouldn't be a problem, but that's not the only factor in the equation. If the pipe is saturated (it's rated for 10M) you might be introducing timeout issues that cause communication failures. It would be helpful to know what kind of response you get when you cannot log in remotely, and it would be good to know what the firewall reports is happening as well.

If the problem persists and nothing obvious shows up, you might try a protocol sniffer like Wireshark and a traffic monitor like ntop to get a good idea of what's happening on yur network, how often you max out the bandwidth, what protocols are consuming the pipe, etc. to help both with debugging this problem and for capacity planning.

Of course, contacting Sonicwall's support may also help.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TNL_EngrCommented:
RLLSTech,

The SonicWall TZ180 should handle up to 6000 connections, so 300-400 connections should not stress the box at all.  There may be other issues causing the problem.  In response to HMSTNs post above, I do not recommend that you upgrade to the Pix.  Cisco makes a great firewall, and I do recommend them.  But, the newer platform is the ASA.  The Pix firewalls are pretty much at end of life.  Also, depending upon the number of users you have in the office, the SonicWall may be sufficient for your needs.

Probably a good next step is for you to review the logs to determine where the connections are coming from and going to.  These may be legitimate connections.
0
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

RLLSTechAuthor Commented:
We have a 20 meg FiOS pipe coming in.  What am I looking for in the connections log?  I'm a seasoned Desktop and internal LAN tech, but when we start talking about the Internet, connections, and the like, it's over my head.

Thanks for the quick replies.
0
Hugh FraserConsultantCommented:
The problems you're seeing could be connection or traffic volume (timeout) related.

Here's a link that describes what to look for in SonicWall's log file and what alerts will be created:

ftp://ftp.sonicwall.com/pub/info/denial_of_service_attacks.pdf

Basically, it deals with Land, Ping-of-Death, Syn-flood, etc. attacks, tells you how to recognize them, and what the firewall does to mitigate the impact.

If, on the otherhand, your problem is traffic volume, you'll need a network monitor to see what's happening. Some candidates are PRTG and Ntop. They'll show you if the 20M pipe is full, who's using it, and for what. Hook them in external to the firewall.

Things to watch for internally are people using streaming audi/video web services, P2P file sharing services, etc.. Just a handful of these can consume the pipe pretty easily.
0
RLLSTechAuthor Commented:
I played with ntop a little @ home last night.  I'm going to attempt to compile it today on an x86 platform.  Thankfully, there's a guide for non-programmers walking step-by-step through how to do so.
I'll report back later with the results.
0
RLLSTechAuthor Commented:
I haven't had time to mess with this since last week.  Thanks for all the help everyone.  I'll post up results when I get back to it later on this week.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.