Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Connection per sec limit reached in ASA 5550, need ideas for temporary relief

Posted on 2015-01-16
Medium Priority
Last Modified: 2015-01-17
I have a Cisco ASA 5550 that is seeing performance issues due to the sheer number of packets per sec. Per Cisco documentation it can support 35k conn/sec. From this command, I understand this is the average connections per sec, which is well over.

CiscoASA550# sho conn count
58395 in use, 73811 most used

This is causing input errors on the inside interface, over and under runs.

One idea I have to lower the amount of connections is to lower the "timeout conn" value to drop idle connections quicker.

How low can I safely go? This firewall is mostly used to NAT a connection to load balancers, for web browsing.

Next idea, but I'm not sure if I'm right. If I change the default ASA MSS from 1380 to:

sysopt connection tcpmss 1460
sysopt connection tcpmss minimum 0

Would that help? I don't know if it would lower connections, I think it would just help throughput.

Any ideas to safely lower connection counts until hardware is upgraded, is appreciated.
Question by:LIBBB
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 57

Expert Comment

ID: 40553344
Changing the MSS will do nothing dealing with the number of connections.   That just changes the maximum amount of data that will be put into a IP packet, and 1460 is the most you can get in a 1500 byte Ethernet frame.

Now packets per second and connections per second are two totally different things.  The 5500 can support over 1 Gbps total for every interface, so if you have two interfaces it would be over 500 in/out on one and over 500 in/out on the other one.

My guess is your ISP connection is getting saturated before your ASA is.

What is the link utilization (bits per second) on each of the interfaces?

Author Comment

ID: 40553376
Thanks, was pretty sure the the MSS wouldn't change connection count.

Here is the interface with by far the highest use

 Traffic Statistics for "inside":
        4220759481 packets input, 2964146176657 bytes
        4240928593 packets output, 3403588211089 bytes
        5324610 packets dropped
      1 minute input rate 61697 pkts/sec,  46811779 bytes/sec
      1 minute output rate 59082 pkts/sec,  46080115 bytes/sec
      1 minute drop rate, 38 pkts/sec
      5 minute input rate 62187 pkts/sec,  45651791 bytes/sec
      5 minute output rate 59900 pkts/sec,  46900026 bytes/sec
      5 minute drop rate, 53 pkts/sec
LVL 57

Expert Comment

ID: 40553401
O.K, but you have to combine all the interfaces.

Some specs for the 5550 (full specs here http://www.cisco1900router.com/cisco-asa-5500-specs-features-and-model-comparisons.html)

1.2 Gbps total system throughput
33,000 NEW connections per second,
650,000 total connections

If you are peaking at 70K total connections, I doubt very much you are hitting 33K new connections per second.  

However, 40MB/s is about 320 Mbits per second.  If you are doing that in and out on that interface that is about 620Mb/s on that single interface, which is 50% of what the boxes throughput is.    Also if you are doing that on that interface, then you should be doing that much traffic on the other interfaces combined, all the traffic on that interface needs to be going someplace and coming from someplace.

You know your environment, does 40MB/s sound right?
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 40553451
You know...I think I read some bad information online. It was explaining how the show conn count was actually connections per second. So, I assumed it was way past the 33K. Now I found this command..

ASA5550# sho resource usage all resource rate ?

Rate-measured Resource Names:
  Conns     Connections/sec

ASA5550# sho resource usage all resource rate conns
Resource              Current         Peak      Limit        Denied Context
Conns [rate]              760         8298        N/A             0 System

Let me combine all the interfaces to see total throughput...

Author Comment

ID: 40553549
Unless I did my math wrong, that would be the problem. Added up all the 5 minute in/out rate of bytes/sec

Total of 280140977 bytes

or 2.24 Gbps
LVL 57

Expert Comment

ID: 40553672
Um, I'll have to re-read.  It could be that you only add up "one side" of an interface'  That is, inbound on all interface.

If that is true, then you would be at about 1/2 of that, or 1.1 Gbps which is at the boxes limit.

Is the traffic you are seeing "normal" and what you would expect?  I am assuming to get that much traffic that you are filter traffic between LAN's within your network.  Unless you have a 1 Gbps Internet link.

Author Comment

ID: 40553752
Yep, I did packet captures yesterday. Did not see any unusual traffic.

We have two, 1Gbps links.
LVL 57

Expert Comment

ID: 40554031
Then it looks like you are maxing out the limits of a 5550.
LVL 57

Accepted Solution

giltjr earned 2000 total points
ID: 40555158
Although you seem to be at the max limits of the 5550, one thing you may want to do is analyze the traffic to see if there is any traffic you could start to block or throttle or "move."

By move I mean, is somebody doing data backups during a peak period that could be moved to a non-peak period.

As for traffic you could block/throttle, is there non-business related traffic or non-critical traffic.

Other than that your options are to replace this ASA with something that can handle more traffic or get a 2nd ASA and split traffic between the two.  If you plan to replace the ASA, you will most likely need to go to a different vendor.  I did a quick check the the most current offering from Cisco only goes to 1.7 Gbps, not much room for growth.

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question