Connection per sec limit reached in ASA 5550, need ideas for temporary relief

Posted on 2015-01-16
Last Modified: 2015-01-17
I have a Cisco ASA 5550 that is seeing performance issues due to the sheer number of packets per sec. Per Cisco documentation it can support 35k conn/sec. From this command, I understand this is the average connections per sec, which is well over.

CiscoASA550# sho conn count
58395 in use, 73811 most used

This is causing input errors on the inside interface, over and under runs.

One idea I have to lower the amount of connections is to lower the "timeout conn" value to drop idle connections quicker.

How low can I safely go? This firewall is mostly used to NAT a connection to load balancers, for web browsing.

Next idea, but I'm not sure if I'm right. If I change the default ASA MSS from 1380 to:

sysopt connection tcpmss 1460
sysopt connection tcpmss minimum 0

Would that help? I don't know if it would lower connections, I think it would just help throughput.

Any ideas to safely lower connection counts until hardware is upgraded, is appreciated.
Question by:LIBBB
  • 5
  • 4
LVL 57

Expert Comment

ID: 40553344
Changing the MSS will do nothing dealing with the number of connections.   That just changes the maximum amount of data that will be put into a IP packet, and 1460 is the most you can get in a 1500 byte Ethernet frame.

Now packets per second and connections per second are two totally different things.  The 5500 can support over 1 Gbps total for every interface, so if you have two interfaces it would be over 500 in/out on one and over 500 in/out on the other one.

My guess is your ISP connection is getting saturated before your ASA is.

What is the link utilization (bits per second) on each of the interfaces?

Author Comment

ID: 40553376
Thanks, was pretty sure the the MSS wouldn't change connection count.

Here is the interface with by far the highest use

 Traffic Statistics for "inside":
        4220759481 packets input, 2964146176657 bytes
        4240928593 packets output, 3403588211089 bytes
        5324610 packets dropped
      1 minute input rate 61697 pkts/sec,  46811779 bytes/sec
      1 minute output rate 59082 pkts/sec,  46080115 bytes/sec
      1 minute drop rate, 38 pkts/sec
      5 minute input rate 62187 pkts/sec,  45651791 bytes/sec
      5 minute output rate 59900 pkts/sec,  46900026 bytes/sec
      5 minute drop rate, 53 pkts/sec
LVL 57

Expert Comment

ID: 40553401
O.K, but you have to combine all the interfaces.

Some specs for the 5550 (full specs here

1.2 Gbps total system throughput
33,000 NEW connections per second,
650,000 total connections

If you are peaking at 70K total connections, I doubt very much you are hitting 33K new connections per second.  

However, 40MB/s is about 320 Mbits per second.  If you are doing that in and out on that interface that is about 620Mb/s on that single interface, which is 50% of what the boxes throughput is.    Also if you are doing that on that interface, then you should be doing that much traffic on the other interfaces combined, all the traffic on that interface needs to be going someplace and coming from someplace.

You know your environment, does 40MB/s sound right?
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.


Author Comment

ID: 40553451
You know...I think I read some bad information online. It was explaining how the show conn count was actually connections per second. So, I assumed it was way past the 33K. Now I found this command..

ASA5550# sho resource usage all resource rate ?

Rate-measured Resource Names:
  Conns     Connections/sec

ASA5550# sho resource usage all resource rate conns
Resource              Current         Peak      Limit        Denied Context
Conns [rate]              760         8298        N/A             0 System

Let me combine all the interfaces to see total throughput...

Author Comment

ID: 40553549
Unless I did my math wrong, that would be the problem. Added up all the 5 minute in/out rate of bytes/sec

Total of 280140977 bytes

or 2.24 Gbps
LVL 57

Expert Comment

ID: 40553672
Um, I'll have to re-read.  It could be that you only add up "one side" of an interface'  That is, inbound on all interface.

If that is true, then you would be at about 1/2 of that, or 1.1 Gbps which is at the boxes limit.

Is the traffic you are seeing "normal" and what you would expect?  I am assuming to get that much traffic that you are filter traffic between LAN's within your network.  Unless you have a 1 Gbps Internet link.

Author Comment

ID: 40553752
Yep, I did packet captures yesterday. Did not see any unusual traffic.

We have two, 1Gbps links.
LVL 57

Expert Comment

ID: 40554031
Then it looks like you are maxing out the limits of a 5550.
LVL 57

Accepted Solution

giltjr earned 500 total points
ID: 40555158
Although you seem to be at the max limits of the 5550, one thing you may want to do is analyze the traffic to see if there is any traffic you could start to block or throttle or "move."

By move I mean, is somebody doing data backups during a peak period that could be moved to a non-peak period.

As for traffic you could block/throttle, is there non-business related traffic or non-critical traffic.

Other than that your options are to replace this ASA with something that can handle more traffic or get a 2nd ASA and split traffic between the two.  If you plan to replace the ASA, you will most likely need to go to a different vendor.  I did a quick check the the most current offering from Cisco only goes to 1.7 Gbps, not much room for growth.

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IPv6 NAT to IPv4 28 66
BGP prefix and routing 3 59
not able to to ping server on a switch 1 33
Cisco WRVS4400N 11 37
Let’s list some of the technologies that enable smooth teleworking. 
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question