Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ASA - UDP Connections Remaining Open

Posted on 2014-09-04
2
256 Views
Last Modified: 2015-02-20
Hi Guys,

We are currently having an issue where UDP Connections are not timing out specifically around our DNS calls.

We have our connection limit set to 5000 and our Internal DNS Server continues to hit this on an almost hourly basis.

When I run a "sh conn count", I can see in excess of 5,000 UDP connections from the DNS Server to servers on the web.

The CONNS-POLICY looks as follows:

policy-map CONNS-POLICY
 class CONNS-MAP
  set connection per-client-max 5000 per-client-embryonic-max 2000 
  set connection timeout idle 2:00:00 dcd 
!

Open in new window


Timeout information is as follows:

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00

Open in new window


I am not sure how to best approach allow the DNS traffic outbound or how others have managed such an issue.

Your input would be appreciated.
0
Comment
Question by:maccadu
  • 2
2 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 40306052
But you keep STATE (*) open for 2 hours!!! Check with your DNS server defaults, but normally it stops waiting for response in 5..60s depending on its age.

(*) UDP is connectionless, ther is no connection open or closing
0
 
LVL 62

Expert Comment

by:gheist
ID: 40620711
Can you help me to understand what was wrong with my answer and DNS protocol description?
Do you have DNS responses that you get in 1-2h?
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Fortigate Question 5 23
Cisco WAP POE power 28 118
Palo Alto Networks - find the sec zone 3 64
Cisco Trunk question 4 30
This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question