[c-nsp] "Strange" Cisco ASA5520 errors - Connection limit exceeded

Peter Adkins peter.adkins at kernelpicnic.net
Fri Oct 28 01:45:03 EDT 2011


Hi Simon,

There is no Premium Peers listed, the full output is as follows:

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Enabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

Cheers for the quick response.

- Peter

On Fri, Oct 28, 2011 at 3:54 PM, Thomason, Simon <Simon.Thomason at racq.com.au
> wrote:

> Sh activation-key
>
> ASA# sh activation-key
>
> Licensed features for this platform:
> Maximum Physical Interfaces       : Unlimited      perpetual
> Maximum VLANs                     : 150            perpetual
> Inside Hosts                      : Unlimited      perpetual
> Failover                          : Active/Active  perpetual
> VPN-DES                           : Enabled        perpetual
> VPN-3DES-AES                      : Enabled        perpetual
> Security Contexts                 : 2              perpetual
> GTP/GPRS                          : Disabled       perpetual
> AnyConnect Premium Peers          : 2              perpetual <<< what does
> this one say?
> AnyConnect Essentials             : Disabled       perpetual
> Other VPN Peers                   : 750            perpetual
> Total VPN Peers                   : 750            perpetual
> Shared License                    : Disabled       perpetual
> AnyConnect for Mobile             : Disabled       perpetual
> AnyConnect for Cisco VPN Phone    : Disabled       perpetual
> Advanced Endpoint Assessment      : Disabled       perpetual
> UC Phone Proxy Sessions           : 2              perpetual
> Total UC Proxy Sessions           : 2              perpetual
> Botnet Traffic Filter             : Disabled       perpetual
> Intercompany Media Engine         : Disabled       perpetual
>
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Adkins
> Sent: Friday, 28 October 2011 3:13 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] "Strange" Cisco ASA5520 errors - Connection limit exceeded
>
> Hi all,
>
> The scenario is that we have two 5520s for this environment configured for
> fail-over, these devices currently terminate a whopping 2x L2L IPSec VPNs
> and a handful of SSL VPN sessions.
>
> This morning we encountered a strange issue which was originally believed
> to
> be due to ACLs not permitting traffic; effectively, if I were to log in to
> one of the configured SSL VPNs I was unable to connect to any services
> configured to be permitted through the VPN filter.  As a last ditch effort
> to work out what was wrong I permitted ANY IP traffic through to the
> required network, however, this still didn't fix the issue.
>
> As an example of what we were seeing, when attempts to telnet into TCP port
> 1433 were failing, the following was found in the logs:
>
>    ...
>    %ASA-3-201011: Connection limit exceeded -35/5000 for input packet from
> X.X.X.X/65374 to Y.Y.Y.Y/1433 on interface outside
>    %ASA-3-201011: Connection limit exceeded -35/5000 for input packet from
> X.X.X.X/65374 to Y.Y.Y.Y/1433 on interface outside
>    %ASA-3-201011: Connection limit exceeded -35/5000 for input packet from
> X.X.X.X/65374 to Y.Y.Y.Y/1433 on interface outside
>    %ASA-3-201011: Connection limit exceeded -35/5000 for input packet from
> X.X.X.X/65375 to Y.Y.Y.Y/1433 on interface outside
>    %ASA-3-201011: Connection limit exceeded -35/5000 for input packet from
> X.X.X.X/65375 to Y.Y.Y.Y/1433 on interface outside
>    %ASA-3-201011: Connection limit exceeded -35/5000 for input packet from
> X.X.X.X/65375 to Y.Y.Y.Y/1433 on interface outside
>    ...
>
> The Cisco website indicates that these sorts of messages would be presented
> if the configured connection limits were, well, exceeded. However, I am
> slightly perplexed as to the current count staying at -35 for all reported
> messages -- as there was a large number of them.
>
>    ...
>    Interface outside:
>      Service-policy: CONNS
>        Class-map: CONNS
>          Set connection policy: conn-max 5000 embryonic-conn-max 30
>            current embryonic conns 0, current conns -35, drop 5622
>          Set connection timeout policy:
>            embryonic 0:40:00 half-closed 0:20:00 idle 2:00:00
>            DCD: enabled, retry-interval 0:00:15, max-retries 5
>            DCD: client-probe 530, server-probe 0, conn-expiration 106
>    ...
>
> I could understand if we were reaching a session limit, however, with only
> two clients connected and a max of 5000 I don't believe this to be the
> case.
> Also, as mentioned, the current session index being 'stuck' at -35 concerns
> me slightly.
>
> In the end, we had failed over to the redundant node which did not exhibit
> this issue. However, as soon as we failed back the problem came straight
> back. The only way to resolve the issue was a reload.
>
> I'm trying to work out whether anyone has encountered this issue before on
> an ASA55x0 running 8.2(4). Mainly to determine whether this was something
> strange, or me just being daft. As much as I'd like to log a TAC case for
> this one, this particular device does not have a valid support contract.
> However, for my sanity I'd like to establish whether this is / was a
> potential code issue, or a problem with the device itself.
>
> Regards,
> Peter Adkins
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> Members save 1%* p.a. on car loan rates with no ongoing fees. Apply today
> at http://www.racq.com.au/promotions/racq_car_loans
>
> Please Note: If you are not the intended recipient, please delete this
> email as its use is prohibited.  RACQ does not warrant or represent that
> this email is free from viruses or defects.  If you do not wish to receive
> any further commercial electronic messages from RACQ please e-mail
> unsubscribe at racq.com.au or contact RACQ on 13 19 05.
>


More information about the cisco-nsp mailing list