Connection per sec limit reached in ASA 5550, need ideas for temporary relief

Posted on 2015-01-16
Medium Priority
Last Modified: 2015-01-17
I have a Cisco ASA 5550 that is seeing performance issues due to the sheer number of packets per sec. Per Cisco documentation it can support 35k conn/sec. From this command, I understand this is the average connections per sec, which is well over.

CiscoASA550# sho conn count
58395 in use, 73811 most used

This is causing input errors on the inside interface, over and under runs.

One idea I have to lower the amount of connections is to lower the "timeout conn" value to drop idle connections quicker.

How low can I safely go? This firewall is mostly used to NAT a connection to load balancers, for web browsing.

Next idea, but I'm not sure if I'm right. If I change the default ASA MSS from 1380 to:

sysopt connection tcpmss 1460
sysopt connection tcpmss minimum 0

Would that help? I don't know if it would lower connections, I think it would just help throughput.

Any ideas to safely lower connection counts until hardware is upgraded, is appreciated.
Question by:LIBBB
  • 5
  • 4
LVL 57

Expert Comment

ID: 40553344
Changing the MSS will do nothing dealing with the number of connections.   That just changes the maximum amount of data that will be put into a IP packet, and 1460 is the most you can get in a 1500 byte Ethernet frame.

Now packets per second and connections per second are two totally different things.  The 5500 can support over 1 Gbps total for every interface, so if you have two interfaces it would be over 500 in/out on one and over 500 in/out on the other one.

My guess is your ISP connection is getting saturated before your ASA is.

What is the link utilization (bits per second) on each of the interfaces?

Author Comment

ID: 40553376
Thanks, was pretty sure the the MSS wouldn't change connection count.

Here is the interface with by far the highest use

 Traffic Statistics for "inside":
        4220759481 packets input, 2964146176657 bytes
        4240928593 packets output, 3403588211089 bytes
        5324610 packets dropped
      1 minute input rate 61697 pkts/sec,  46811779 bytes/sec
      1 minute output rate 59082 pkts/sec,  46080115 bytes/sec
      1 minute drop rate, 38 pkts/sec
      5 minute input rate 62187 pkts/sec,  45651791 bytes/sec
      5 minute output rate 59900 pkts/sec,  46900026 bytes/sec
      5 minute drop rate, 53 pkts/sec
LVL 57

Expert Comment

ID: 40553401
O.K, but you have to combine all the interfaces.

Some specs for the 5550 (full specs here http://www.cisco1900router.com/cisco-asa-5500-specs-features-and-model-comparisons.html)

1.2 Gbps total system throughput
33,000 NEW connections per second,
650,000 total connections

If you are peaking at 70K total connections, I doubt very much you are hitting 33K new connections per second.  

However, 40MB/s is about 320 Mbits per second.  If you are doing that in and out on that interface that is about 620Mb/s on that single interface, which is 50% of what the boxes throughput is.    Also if you are doing that on that interface, then you should be doing that much traffic on the other interfaces combined, all the traffic on that interface needs to be going someplace and coming from someplace.

You know your environment, does 40MB/s sound right?
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 40553451
You know...I think I read some bad information online. It was explaining how the show conn count was actually connections per second. So, I assumed it was way past the 33K. Now I found this command..

ASA5550# sho resource usage all resource rate ?

Rate-measured Resource Names:
  Conns     Connections/sec

ASA5550# sho resource usage all resource rate conns
Resource              Current         Peak      Limit        Denied Context
Conns [rate]              760         8298        N/A             0 System

Let me combine all the interfaces to see total throughput...

Author Comment

ID: 40553549
Unless I did my math wrong, that would be the problem. Added up all the 5 minute in/out rate of bytes/sec

Total of 280140977 bytes

or 2.24 Gbps
LVL 57

Expert Comment

ID: 40553672
Um, I'll have to re-read.  It could be that you only add up "one side" of an interface'  That is, inbound on all interface.

If that is true, then you would be at about 1/2 of that, or 1.1 Gbps which is at the boxes limit.

Is the traffic you are seeing "normal" and what you would expect?  I am assuming to get that much traffic that you are filter traffic between LAN's within your network.  Unless you have a 1 Gbps Internet link.

Author Comment

ID: 40553752
Yep, I did packet captures yesterday. Did not see any unusual traffic.

We have two, 1Gbps links.
LVL 57

Expert Comment

ID: 40554031
Then it looks like you are maxing out the limits of a 5550.
LVL 57

Accepted Solution

giltjr earned 2000 total points
ID: 40555158
Although you seem to be at the max limits of the 5550, one thing you may want to do is analyze the traffic to see if there is any traffic you could start to block or throttle or "move."

By move I mean, is somebody doing data backups during a peak period that could be moved to a non-peak period.

As for traffic you could block/throttle, is there non-business related traffic or non-critical traffic.

Other than that your options are to replace this ASA with something that can handle more traffic or get a 2nd ASA and split traffic between the two.  If you plan to replace the ASA, you will most likely need to go to a different vendor.  I did a quick check the the most current offering from Cisco only goes to 1.7 Gbps, not much room for growth.

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question