• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1791
  • Last Modified:

How many connections is too many?

We have a Sonicwall TZ180 running at our primary site.  The site is our "primary" site because it hosts our e-mail.  We have a Barracuda Spam 300 scanning all incoming mail.  All users outside of this office (we have two other offices) access e-mail via RPC over HTTP.  I am the only one with remote access ability.  Recently, I've noticed that sometimes, the users can get out, but I cannot get in.  That is, everyone within this office can access the Exchange server, network files, and the Internet without a hitch, but at our other two sites, users cannot access their e-mail and I cannot remote in.  I had one of my trusted users log in to the Sonicwall today and she said it was showing 370 connections.  After resetting the device, all was well.  I'm assuming these are incoming connections?  If so, what's a "good" number and what's a "bad" number?  Are these attacks from the outside?  Is there anything I can do to circumvent this problem?

2 Solutions
To save you a lot of hassle and headaches, try to sell or get rid of the sonicwall and pick up a cisco pix 500.  It will save you from having to reset the firewall.  We have clients with sonicwall firewalls and anytime a user cannot connect its b/c it needs to be reset.  The cisco firewalls that our clients have, have no problem.  Sorry for not answering the direct question.
Hugh FraserConsultantCommented:
According to the specs, 370 connections shouldn't be a problem, but that's not the only factor in the equation. If the pipe is saturated (it's rated for 10M) you might be introducing timeout issues that cause communication failures. It would be helpful to know what kind of response you get when you cannot log in remotely, and it would be good to know what the firewall reports is happening as well.

If the problem persists and nothing obvious shows up, you might try a protocol sniffer like Wireshark and a traffic monitor like ntop to get a good idea of what's happening on yur network, how often you max out the bandwidth, what protocols are consuming the pipe, etc. to help both with debugging this problem and for capacity planning.

Of course, contacting Sonicwall's support may also help.

The SonicWall TZ180 should handle up to 6000 connections, so 300-400 connections should not stress the box at all.  There may be other issues causing the problem.  In response to HMSTNs post above, I do not recommend that you upgrade to the Pix.  Cisco makes a great firewall, and I do recommend them.  But, the newer platform is the ASA.  The Pix firewalls are pretty much at end of life.  Also, depending upon the number of users you have in the office, the SonicWall may be sufficient for your needs.

Probably a good next step is for you to review the logs to determine where the connections are coming from and going to.  These may be legitimate connections.
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

RLLSTechAuthor Commented:
We have a 20 meg FiOS pipe coming in.  What am I looking for in the connections log?  I'm a seasoned Desktop and internal LAN tech, but when we start talking about the Internet, connections, and the like, it's over my head.

Thanks for the quick replies.
Hugh FraserConsultantCommented:
The problems you're seeing could be connection or traffic volume (timeout) related.

Here's a link that describes what to look for in SonicWall's log file and what alerts will be created:


Basically, it deals with Land, Ping-of-Death, Syn-flood, etc. attacks, tells you how to recognize them, and what the firewall does to mitigate the impact.

If, on the otherhand, your problem is traffic volume, you'll need a network monitor to see what's happening. Some candidates are PRTG and Ntop. They'll show you if the 20M pipe is full, who's using it, and for what. Hook them in external to the firewall.

Things to watch for internally are people using streaming audi/video web services, P2P file sharing services, etc.. Just a handful of these can consume the pipe pretty easily.
RLLSTechAuthor Commented:
I played with ntop a little @ home last night.  I'm going to attempt to compile it today on an x86 platform.  Thankfully, there's a guide for non-programmers walking step-by-step through how to do so.
I'll report back later with the results.
RLLSTechAuthor Commented:
I haven't had time to mess with this since last week.  Thanks for all the help everyone.  I'll post up results when I get back to it later on this week.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now