[c-nsp] "Strange" Cisco ASA5520 errors - Connection limit exceeded
Peter Adkins
peter.adkins at kernelpicnic.net
Fri Oct 28 01:45:03 EDT 2011
Hi Simon,
There is no Premium Peers listed, the full output is as follows:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
Cheers for the quick response.
- Peter
On Fri, Oct 28, 2011 at 3:54 PM, Thomason, Simon <Simon.Thomason at racq.com.au
> wrote:
> Sh activation-key
>
> ASA# sh activation-key
>
> Licensed features for this platform:
> Maximum Physical Interfaces : Unlimited perpetual
> Maximum VLANs : 150 perpetual
> Inside Hosts : Unlimited perpetual
> Failover : Active/Active perpetual
> VPN-DES : Enabled perpetual
> VPN-3DES-AES : Enabled perpetual
> Security Contexts : 2 perpetual
> GTP/GPRS : Disabled perpetual
> AnyConnect Premium Peers : 2 perpetual <<< what does
> this one say?
> AnyConnect Essentials : Disabled perpetual
> Other VPN Peers : 750 perpetual
> Total VPN Peers : 750 perpetual
> Shared License : Disabled perpetual
> AnyConnect for Mobile : Disabled perpetual
> AnyConnect for Cisco VPN Phone : Disabled perpetual
> Advanced Endpoint Assessment : Disabled perpetual
> UC Phone Proxy Sessions : 2 perpetual
> Total UC Proxy Sessions : 2 perpetual
> Botnet Traffic Filter : Disabled perpetual
> Intercompany Media Engine : Disabled perpetual
>
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Adkins
> Sent: Friday, 28 October 2011 3:13 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] "Strange" Cisco ASA5520 errors - Connection limit exceeded
>
> Hi all,
>
> The scenario is that we have two 5520s for this environment configured for
> fail-over, these devices currently terminate a whopping 2x L2L IPSec VPNs
> and a handful of SSL VPN sessions.
>
> This morning we encountered a strange issue which was originally believed
> to
> be due to ACLs not permitting traffic; effectively, if I were to log in to
> one of the configured SSL VPNs I was unable to connect to any services
> configured to be permitted through the VPN filter. As a last ditch effort
> to work out what was wrong I permitted ANY IP traffic through to the
> required network, however, this still didn't fix the issue.
>
> As an example of what we were seeing, when attempts to telnet into TCP port
> 1433 were failing, the following was found in the logs:
>
> ...
> %ASA-3-201011: Connection limit exceeded -35/5000 for input packet from
> X.X.X.X/65374 to Y.Y.Y.Y/1433 on interface outside
> %ASA-3-201011: Connection limit exceeded -35/5000 for input packet from
> X.X.X.X/65374 to Y.Y.Y.Y/1433 on interface outside
> %ASA-3-201011: Connection limit exceeded -35/5000 for input packet from
> X.X.X.X/65374 to Y.Y.Y.Y/1433 on interface outside
> %ASA-3-201011: Connection limit exceeded -35/5000 for input packet from
> X.X.X.X/65375 to Y.Y.Y.Y/1433 on interface outside
> %ASA-3-201011: Connection limit exceeded -35/5000 for input packet from
> X.X.X.X/65375 to Y.Y.Y.Y/1433 on interface outside
> %ASA-3-201011: Connection limit exceeded -35/5000 for input packet from
> X.X.X.X/65375 to Y.Y.Y.Y/1433 on interface outside
> ...
>
> The Cisco website indicates that these sorts of messages would be presented
> if the configured connection limits were, well, exceeded. However, I am
> slightly perplexed as to the current count staying at -35 for all reported
> messages -- as there was a large number of them.
>
> ...
> Interface outside:
> Service-policy: CONNS
> Class-map: CONNS
> Set connection policy: conn-max 5000 embryonic-conn-max 30
> current embryonic conns 0, current conns -35, drop 5622
> Set connection timeout policy:
> embryonic 0:40:00 half-closed 0:20:00 idle 2:00:00
> DCD: enabled, retry-interval 0:00:15, max-retries 5
> DCD: client-probe 530, server-probe 0, conn-expiration 106
> ...
>
> I could understand if we were reaching a session limit, however, with only
> two clients connected and a max of 5000 I don't believe this to be the
> case.
> Also, as mentioned, the current session index being 'stuck' at -35 concerns
> me slightly.
>
> In the end, we had failed over to the redundant node which did not exhibit
> this issue. However, as soon as we failed back the problem came straight
> back. The only way to resolve the issue was a reload.
>
> I'm trying to work out whether anyone has encountered this issue before on
> an ASA55x0 running 8.2(4). Mainly to determine whether this was something
> strange, or me just being daft. As much as I'd like to log a TAC case for
> this one, this particular device does not have a valid support contract.
> However, for my sanity I'd like to establish whether this is / was a
> potential code issue, or a problem with the device itself.
>
> Regards,
> Peter Adkins
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> Members save 1%* p.a. on car loan rates with no ongoing fees. Apply today
> at http://www.racq.com.au/promotions/racq_car_loans
>
> Please Note: If you are not the intended recipient, please delete this
> email as its use is prohibited. RACQ does not warrant or represent that
> this email is free from viruses or defects. If you do not wish to receive
> any further commercial electronic messages from RACQ please e-mail
> unsubscribe at racq.com.au or contact RACQ on 13 19 05.
>
More information about the cisco-nsp
mailing list