Connection per sec limit reached in ASA 5550, need ideas for temporary relief

Posted on 2015-01-16
Last Modified: 2015-01-17
I have a Cisco ASA 5550 that is seeing performance issues due to the sheer number of packets per sec. Per Cisco documentation it can support 35k conn/sec. From this command, I understand this is the average connections per sec, which is well over.

CiscoASA550# sho conn count
58395 in use, 73811 most used

This is causing input errors on the inside interface, over and under runs.

One idea I have to lower the amount of connections is to lower the "timeout conn" value to drop idle connections quicker.

How low can I safely go? This firewall is mostly used to NAT a connection to load balancers, for web browsing.

Next idea, but I'm not sure if I'm right. If I change the default ASA MSS from 1380 to:

sysopt connection tcpmss 1460
sysopt connection tcpmss minimum 0

Would that help? I don't know if it would lower connections, I think it would just help throughput.

Any ideas to safely lower connection counts until hardware is upgraded, is appreciated.
Question by:LIBBB
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 57

Expert Comment

ID: 40553344
Changing the MSS will do nothing dealing with the number of connections.   That just changes the maximum amount of data that will be put into a IP packet, and 1460 is the most you can get in a 1500 byte Ethernet frame.

Now packets per second and connections per second are two totally different things.  The 5500 can support over 1 Gbps total for every interface, so if you have two interfaces it would be over 500 in/out on one and over 500 in/out on the other one.

My guess is your ISP connection is getting saturated before your ASA is.

What is the link utilization (bits per second) on each of the interfaces?

Author Comment

ID: 40553376
Thanks, was pretty sure the the MSS wouldn't change connection count.

Here is the interface with by far the highest use

 Traffic Statistics for "inside":
        4220759481 packets input, 2964146176657 bytes
        4240928593 packets output, 3403588211089 bytes
        5324610 packets dropped
      1 minute input rate 61697 pkts/sec,  46811779 bytes/sec
      1 minute output rate 59082 pkts/sec,  46080115 bytes/sec
      1 minute drop rate, 38 pkts/sec
      5 minute input rate 62187 pkts/sec,  45651791 bytes/sec
      5 minute output rate 59900 pkts/sec,  46900026 bytes/sec
      5 minute drop rate, 53 pkts/sec
LVL 57

Expert Comment

ID: 40553401
O.K, but you have to combine all the interfaces.

Some specs for the 5550 (full specs here

1.2 Gbps total system throughput
33,000 NEW connections per second,
650,000 total connections

If you are peaking at 70K total connections, I doubt very much you are hitting 33K new connections per second.  

However, 40MB/s is about 320 Mbits per second.  If you are doing that in and out on that interface that is about 620Mb/s on that single interface, which is 50% of what the boxes throughput is.    Also if you are doing that on that interface, then you should be doing that much traffic on the other interfaces combined, all the traffic on that interface needs to be going someplace and coming from someplace.

You know your environment, does 40MB/s sound right?
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).


Author Comment

ID: 40553451
You know...I think I read some bad information online. It was explaining how the show conn count was actually connections per second. So, I assumed it was way past the 33K. Now I found this command..

ASA5550# sho resource usage all resource rate ?

Rate-measured Resource Names:
  Conns     Connections/sec

ASA5550# sho resource usage all resource rate conns
Resource              Current         Peak      Limit        Denied Context
Conns [rate]              760         8298        N/A             0 System

Let me combine all the interfaces to see total throughput...

Author Comment

ID: 40553549
Unless I did my math wrong, that would be the problem. Added up all the 5 minute in/out rate of bytes/sec

Total of 280140977 bytes

or 2.24 Gbps
LVL 57

Expert Comment

ID: 40553672
Um, I'll have to re-read.  It could be that you only add up "one side" of an interface'  That is, inbound on all interface.

If that is true, then you would be at about 1/2 of that, or 1.1 Gbps which is at the boxes limit.

Is the traffic you are seeing "normal" and what you would expect?  I am assuming to get that much traffic that you are filter traffic between LAN's within your network.  Unless you have a 1 Gbps Internet link.

Author Comment

ID: 40553752
Yep, I did packet captures yesterday. Did not see any unusual traffic.

We have two, 1Gbps links.
LVL 57

Expert Comment

ID: 40554031
Then it looks like you are maxing out the limits of a 5550.
LVL 57

Accepted Solution

giltjr earned 500 total points
ID: 40555158
Although you seem to be at the max limits of the 5550, one thing you may want to do is analyze the traffic to see if there is any traffic you could start to block or throttle or "move."

By move I mean, is somebody doing data backups during a peak period that could be moved to a non-peak period.

As for traffic you could block/throttle, is there non-business related traffic or non-critical traffic.

Other than that your options are to replace this ASA with something that can handle more traffic or get a 2nd ASA and split traffic between the two.  If you plan to replace the ASA, you will most likely need to go to a different vendor.  I did a quick check the the most current offering from Cisco only goes to 1.7 Gbps, not much room for growth.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Comware OS Simulator and GNS3 5 171
connect to cisco 2690 series 6 22
NFS v4 7 20
VLAN Questions 3 18
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question