[c-nsp] Stale tcp connection on FWSM
Matthew Melbourne
matt at melbourne.org.uk
Tue Dec 29 09:34:55 EST 2009
We have a transparent firewall context on a FWSM (code revision: 3.1(16)).
Recently the number of tcp connections has been increasing to a point where
it hits the limit defined in the static and new connections are denied.
However a "show conn | inc x.x.x.148" doesn't show nearly the number of
active connections the "show local-host" command might suggest.
A "clear local-host x.x.x.x" fixes the problem temporarily, but the problem
resurfaces later (and on different hosts). Is there any way to see any more
detail on these 11000+ connections?
xxx# sh local-host x.x.x.148 all
IPv4 local hosts:
Local host: <x.x.x.148>, tcp conn(s)/limit = 11806/20000,
embryonic(s)/limit = 4470/50 udp conn(s)/limit = 0/0
Xlate(s):
Global x.x.x.148 Local x.x.x.148
I am considering whether we should perhaps reduce the default TCP connection
timeout to less than the default one hour. I am beginning to agree with
other contributors here, that firewalls placed in front of servers is of
limited benefit and just creates masses of state which needs to be
maintained, as well as opening up other potential DoS vectors. :-)
Cheers,
Matt
--
Matthew Melbourne
More information about the cisco-nsp
mailing list