Solved

Connection per sec limit reached in ASA 5550, need ideas for temporary relief

Posted on 2015-01-16
9
930 Views
Last Modified: 2015-01-17
I have a Cisco ASA 5550 that is seeing performance issues due to the sheer number of packets per sec. Per Cisco documentation it can support 35k conn/sec. From this command, I understand this is the average connections per sec, which is well over.

CiscoASA550# sho conn count
58395 in use, 73811 most used

This is causing input errors on the inside interface, over and under runs.

One idea I have to lower the amount of connections is to lower the "timeout conn" value to drop idle connections quicker.

How low can I safely go? This firewall is mostly used to NAT a connection to load balancers, for web browsing.

Next idea, but I'm not sure if I'm right. If I change the default ASA MSS from 1380 to:

sysopt connection tcpmss 1460
sysopt connection tcpmss minimum 0

Would that help? I don't know if it would lower connections, I think it would just help throughput.

Any ideas to safely lower connection counts until hardware is upgraded, is appreciated.
0
Comment
Question by:LIBBB
  • 5
  • 4
9 Comments
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Changing the MSS will do nothing dealing with the number of connections.   That just changes the maximum amount of data that will be put into a IP packet, and 1460 is the most you can get in a 1500 byte Ethernet frame.

Now packets per second and connections per second are two totally different things.  The 5500 can support over 1 Gbps total for every interface, so if you have two interfaces it would be over 500 in/out on one and over 500 in/out on the other one.

My guess is your ISP connection is getting saturated before your ASA is.

What is the link utilization (bits per second) on each of the interfaces?
0
 

Author Comment

by:LIBBB
Comment Utility
Thanks, was pretty sure the the MSS wouldn't change connection count.

Here is the interface with by far the highest use

 Traffic Statistics for "inside":
        4220759481 packets input, 2964146176657 bytes
        4240928593 packets output, 3403588211089 bytes
        5324610 packets dropped
      1 minute input rate 61697 pkts/sec,  46811779 bytes/sec
      1 minute output rate 59082 pkts/sec,  46080115 bytes/sec
      1 minute drop rate, 38 pkts/sec
      5 minute input rate 62187 pkts/sec,  45651791 bytes/sec
      5 minute output rate 59900 pkts/sec,  46900026 bytes/sec
      5 minute drop rate, 53 pkts/sec
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
O.K, but you have to combine all the interfaces.

Some specs for the 5550 (full specs here http://www.cisco1900router.com/cisco-asa-5500-specs-features-and-model-comparisons.html)

1.2 Gbps total system throughput
33,000 NEW connections per second,
650,000 total connections

If you are peaking at 70K total connections, I doubt very much you are hitting 33K new connections per second.  

However, 40MB/s is about 320 Mbits per second.  If you are doing that in and out on that interface that is about 620Mb/s on that single interface, which is 50% of what the boxes throughput is.    Also if you are doing that on that interface, then you should be doing that much traffic on the other interfaces combined, all the traffic on that interface needs to be going someplace and coming from someplace.

You know your environment, does 40MB/s sound right?
0
 

Author Comment

by:LIBBB
Comment Utility
You know...I think I read some bad information online. It was explaining how the show conn count was actually connections per second. So, I assumed it was way past the 33K. Now I found this command..

ASA5550# sho resource usage all resource rate ?

Rate-measured Resource Names:
  Conns     Connections/sec

ASA5550# sho resource usage all resource rate conns
Resource              Current         Peak      Limit        Denied Context
Conns [rate]              760         8298        N/A             0 System

Let me combine all the interfaces to see total throughput...
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:LIBBB
Comment Utility
Unless I did my math wrong, that would be the problem. Added up all the 5 minute in/out rate of bytes/sec

Total of 280140977 bytes

or 2.24 Gbps
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Um, I'll have to re-read.  It could be that you only add up "one side" of an interface'  That is, inbound on all interface.

If that is true, then you would be at about 1/2 of that, or 1.1 Gbps which is at the boxes limit.

Is the traffic you are seeing "normal" and what you would expect?  I am assuming to get that much traffic that you are filter traffic between LAN's within your network.  Unless you have a 1 Gbps Internet link.
0
 

Author Comment

by:LIBBB
Comment Utility
Yep, I did packet captures yesterday. Did not see any unusual traffic.

We have two, 1Gbps links.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Then it looks like you are maxing out the limits of a 5550.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
Comment Utility
Although you seem to be at the max limits of the 5550, one thing you may want to do is analyze the traffic to see if there is any traffic you could start to block or throttle or "move."

By move I mean, is somebody doing data backups during a peak period that could be moved to a non-peak period.

As for traffic you could block/throttle, is there non-business related traffic or non-critical traffic.

Other than that your options are to replace this ASA with something that can handle more traffic or get a 2nd ASA and split traffic between the two.  If you plan to replace the ASA, you will most likely need to go to a different vendor.  I did a quick check the the most current offering from Cisco only goes to 1.7 Gbps, not much room for growth.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now