Solved

ASA - UDP Connections Remaining Open

Posted on 2014-09-04
2
248 Views
Last Modified: 2015-02-20
Hi Guys,

We are currently having an issue where UDP Connections are not timing out specifically around our DNS calls.

We have our connection limit set to 5000 and our Internal DNS Server continues to hit this on an almost hourly basis.

When I run a "sh conn count", I can see in excess of 5,000 UDP connections from the DNS Server to servers on the web.

The CONNS-POLICY looks as follows:

policy-map CONNS-POLICY
 class CONNS-MAP
  set connection per-client-max 5000 per-client-embryonic-max 2000 
  set connection timeout idle 2:00:00 dcd 
!

Open in new window


Timeout information is as follows:

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00

Open in new window


I am not sure how to best approach allow the DNS traffic outbound or how others have managed such an issue.

Your input would be appreciated.
0
Comment
Question by:maccadu
  • 2
2 Comments
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 40306052
But you keep STATE (*) open for 2 hours!!! Check with your DNS server defaults, but normally it stops waiting for response in 5..60s depending on its age.

(*) UDP is connectionless, ther is no connection open or closing
0
 
LVL 61

Expert Comment

by:gheist
ID: 40620711
Can you help me to understand what was wrong with my answer and DNS protocol description?
Do you have DNS responses that you get in 1-2h?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now