ACE connection limit and remote TCP security scans

Similar Messages

• The TFO accelerator is overloaded (connection limit) and MAPI problems

  Hi All!
  Problem description:
  When MAPI acceleration (exchange/outlook) is Active in our WAAS environment, the remote site users randomly lose connection to the Exchange server (on hub site), if I disable the MAPI acceleration everything works ok.  so right now we are running with MAPI accelearation Disabled
  I can see that we often get max_conn_reject The TFO accelerator is overloaded (connection limit), we haven't done any adjustments to the default configuration. 
  The environment is one Hubsite with two remote sites.
  [Hub Site] 34mbit
  HW=OE674
  SW=4.1.5
  inline
  Enterprise Lic
  [Remote Site1] 4 mbit
  HW=OE474
  SW=4.1.5
  inline
  Enterprise Lic
  [Remote Site2] 4mbit
  HW=OE474
  SW=4.1.5
  inline
  Enterprise Lic
  So the question is how to solve this?!                                

  I had a feeling that you might have alot of computer remotely.
  One of the main factors in sizing a WAAS soluiton is to keep in mind the number of TCP connections that a single WAE can optimize.
  We limit the device on optimized TCP connections.After you hit the limit the device will go into the overload state that you mentioned.
  274 - 200 connections
  474 - 400 connections.
  Typically from a sizing a single workstation would be sized from 7-10 TCP connections.
  The 2nd factor in sizing is bandwidth - WAAS doesn't limit bandwidth but this is recommended for the CPU throughput.
  274 - 2 Megs
  474 - 4 Megs
  The 3rd factor is redundancy,. HA, etc.
  Thanks,
  Eric
       remember if this answrs your questions, please mark as answered and with a 5.

• ASA 5505 Connection Limit and TIME_WAIT Freezing Device

  My little ASA 5505 is working great and I am quite happy with the purchase now that I've solved a number of the issues we had, thank you all very much for the help.
  The next issue I have is rather annoying.  The device appears to be artificially crippled and limited to 10,000 connections.  This isn't a "CPU limit" it's just some fake limit in the device as far as I can tell.
  The problem we have is that we are only using around 500-600 connections and CPU usage is only like 25%, and yet the connection count is pegged at 10,000 and locks us out of our network.
  I am pretty sure this is because there are a lot of "dead" TIME_WAIT connections hanging around not being used.  In our application we only have the couple hundred connections but they do move around a bit every now and then.
  Is there anyway to get the device to ignore the "dead" connections and not count them towards the artificial limit on the device given that it's pretty clear the CPU / etc., is not utilized sufficiently.  These aren't real connections, we only have a couple 100 established, they do just move around a bit however.
  We are really only using 500-700 connections according to our servers, the others are just sitting in TIME_WAIT doing nothing.
  Anyone had this issue before or can offer solutions or workarounds?

  Hello,
  Have you checked the output of 'show conn' and 'show local-host' at a time when the connection count is maxed out? If the ASA is not removing idle connections, you should open a TAC case to have this investigated. Otherwise, the above commands should show you which hosts are maxing out the connections and you can take steps to remediate those problem hosts.
  -Mike

• DSL connection spotty and slow after security update

  I updated both the latest security patch and firmware for my Intel Mac Mini a few days ago, and since then have had notably slower DSL internet service. Frequent time-outs in locating servers etc. Skype connection is much much worse than before the update(s).
  Anyone have similar experience and/or suggestions?
  Mac Mini 1.66 Intel Core Duo   Mac OS X (10.4.8)  

  There are two distinct problems that can occur with internet connections, giving two different symptoms.
  If, for example, you click on a link or enter a URL in a browser and it takes ages to start the process of loading the page, but once started it loads reasonably well, the issue is with the DNS lookup. On the other hand, if the browser finds the page and looks ready to start loading it pretty quickly, but then takes ages to render the page, the problem is far more likely to be an issue with data timing out.
  In the situation where there is an apparent delay in locating servers, the problem is most likely related to the DNS settings in the system. DNS (Domain Name Service) is the means by which the system translates the addresses we find easy to remember and work with (such as www.yahoo.com) to the numbering system the internet itself uses (such as 69.147.11.210 in the case of yahoo). When you send your system off looking for an internet resource by name such as yahoo.com, it first checks with whatever DNS server you have told it to use, what the IP number is, and if that DNS server is slow to respond, the process of accessing the page/resource will appear to hang, sometimes for many seconds.
  You can test is the system has a DNS issue by opening a browser and typing http://69.147.11.210 and hitting enter. This should, after a very brief pause, load the Yahoo home page. If doing it this way gives you a markedly faster page access time than usual, go to your network preference pane and open the ethernet configuration (if using ethernet - the airport for wifi or modem for dialup) and in the DNS servers section, manually enter the DNS server addresses used by your ISP. There are usually two or three and they may be listed in the ISP's help pages on the internet, in the documentation that they sent, or in your router.
  Actually any valid DNS server IP addresses will do, so you can actually doa search for DNS server addresses and use any that you find. Bear in mind of course that a DNS server in your own locality, or region will be likely to be quicker to respond than a DNS server on the other side of the world... though not always!
  Give that a try if the problem is with the system accessing a page to begin with.
  If it's that the page loads very slowly once started, the first thing to do is clear the browser's caches (in safari, try 'reset safari' which sets it back to first-used state), which can often help. After that it may be necessary to delve into the depths of the system's IP configuration since some ISPs don't seem to have particularly Mac-friendly service configurations.

• Ace connection limit

  Hi,
  I  would like to limit the overloading of servers and redirect to a backup  server if the first is full. I thought to use  "max-connect" and "backup-reserved".
  Now I  would also ensure that if the client is already on the platform he  continued to surf and not be impacted by the max-connect.
  The aim is to focus clients on the farm and put on hold the  new.
  To know that a client is already  on the platform I thought to use the sticky.
  Do not know if  you know of a solution to my need
  Regards,
  Charly

  yes, it's conn-limit sorry and backup-reserved is backup-rserver (problem copy paste ).
  I already used sticky with insert cookie, but when the server is full the client go to the new server.
  Resource class :  you thought the ressource class on the admin context ?

• HT1222 When I go to download the 64-bit for Windows 7 when it is done downloading and runs the security scan it says that it is unsafe for my computer.

  It says that the 64-bit is unsafe for my computer... What should I do?

  See Troubleshooting issues with iTunes for Windows updates.
  tt2

• Why does Adobe Reader and Adobe Flash player keep installing McaFee Security Scan on my system?

  Whenever I install the Adobe Flash player or Adobe Reader on my system, it downloads and installs McAfee Security Scan Plus at the same time. It does not ask if I want it or not, it instead forces it on me, so I have to then unistall it. I've unistalled it 3 or 4 times in the last week. I DO NOT WANT MCAFEE PRODUCTS on my computer!
  Please make this an option, give the users a choice so we don't have to keep removing the stupid thing.

  Did you 'Uncheck" the relevant box pointed by the red arrow ? If not you accepted the installation with McAfee.

• I have an Ipad 2 and here is what I am trying to accomplish.  On my laptop I connect to a remote desktop connection to access a shared program we use for reporting.  How do I set up my Ipad to access this remote server?  Thanks for the help.

  I have an Ipad 2 and here is what I am trying to accomplish.  On my laptop I connect to a remote desktop connection to access a shared program we use for reporting.  How do I set up my Ipad to access this remote server?  Thanks for the help.

  Close ... before going for a specific Cisco app ... lets find out some details:
  Host we need more details:
  What is your server environment (Windows Server, or Mac OS X Server, or Linux)?
  What security is implemented in your environment - as what is restricted (RDP for all or specifc credentials on all machines? Are you part of local admin group to the server you wish to connect)?
  Does your environment Support CISCO IPSec connection? If so use Settings> VPN and IPSec tab to enter VPN details, if not then go with above suggestion. IF your restricted to RSA then either built in VPN settings or 3rd party app for RSA would suffice.
  Finally, there are many RDP applications out there I use "Mocha RDP Light" (free minimal ads when launched not when connecting).

• VPN and Remote Desktop Connection

  I have a standalone windows 2012 server that runs a domain with a few workstations. I have successfully configured a PPTP VPN and can connect using a Windows 7 computer at home. Once connected to the VPN, I can Remote Desktop to the server - but not any
  other computers. The computer I'm trying to connect to runs Windows 7 and has remote desktop connections enabled.
  Under the Access Details in the Remote Access Management the VPN connection is shown correctly first to the router (x.x.x.1) then the server (x.x.x.2) under Protocol 17 and Port 53. Then the server is shown again under Protocol 17 and Port 3389, which must
  be the Remote Desktop connection. And then the workstation on the domain (x.x.x.20) also shows a connection with Protocol 17 and Port 3389. However, the remote desktop connection fails everytime. I'm not sure where the issue exists since it appears the server
  is seeing and acknowledging the remote desktop connection. On my router I have PPTP passthrough enabled and port forward 3389 to the server.
  I have attempted to use the workstations internal IP address as well as the computer name (workstation and workstation.domain.local) when connecting.
  Thanks for your help.
  I just noticed these three event errors on the destination remote machine. Not sure why it's trying to use L2TP?
  Failed to apply IP Security on port VPN2-1 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate..  No calls
  will be accepted to this port.
  A certificate could not be found. Connections that use the L2TP protocol over IPsec  require the installation of a machine certificate, also known as a computer  certificate. No L2TP calls will be accepted.
  The Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. To be valid, the SHA256 certificate hash must be of type REG_BINARY and 32 bytes in length. SSTP might not be able to
  retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again.

  Morning Trent,
  I don't know if this is still an issue for you, did you get it solved?
  If not, check on the server whether the user credentials that you're using to RDP to the workstation are actually authorised server-side. If that checks out, on the VPN connection you can specify a protocol to use. Specify the protocol that your VPN is configured
  to use on the server.

• Home Hub 3 and 4 Connections Limit ?

  Hi All i am very much hoping there is someone expert on issues such as number of connections allowed and home hub interconnecting.
  First things first.  I had a home hub 3 and it kept on dropping the signal.  it went on for several months and many calls to Bangladesh.  Very often the problem was fixed and all reunning perfect ...... for a few days sometimes even a week or so.  Then it was back to This page cannot be displayed or 'No Internet' in the wifi connection window.
  At the beginning the hub would show fault ie the red light would start to flash.  I also had a terible phone line with a lot of crackle.  One of the 'remote fixes' seemed to cure this and from then on the blue light was always on and for a while the signal remained ok.  then it bagan to drop intermittently.
  i also have a connection to a remote part of the garden and run a 40 meter Cat 5 cable from a port on the new homehub4 up to the homehub 3 at the other end.  When i connect this, the home hub3 in the garden receives Internet no porblem but i loose it at the main hub.  no faults are reported and the signal is said to be excellent and 'Internet Access ' is usually displayed.  
  i can often get the first page but then clicking any links gives a page with cannot connect to this page please check the name etc.  if i unplug the lead going down the garden to the homehub3 I get ful connection back.
  I think there is more than one problem but for now i just want to fix this bandwidth sharing issue.  Surely i should not loose connection as soon as i connect to a slave hub down the garden?  it does come and go after then and i will receive the odd batch of email but it is disconnected 80% of the time.
  Anyone any idea what sort of a problem this is?  if it is bandwidth, can i set a limit on how much will go the the slave homehub3?  or can i set priority to the homehub4?  or even to a specific IP address ie my laptop?
  both hubs use dhcp so i did wonder if there was conflict of IP addresses but i dont see how this can be because my connection comes and goes whereas theremote homehub3 stays perfect connection for skype etc.
  Another very interesting aspect was that when i would drop out on the new hub, i could connect to BT WiFi with Fon and got a connection no problem.  Yet that connection must be supplied by my homehub4 so how can it supply me through wifi with fon no problem but not a direct wifi connection when i an literally 2 feet from the router?
  that element has now vanished because the Bangladesh team finally decided it was the new router and sent an engineer to test it.  he concluded it was the router and changed it for one he had with him butthis one does not give any signal for btwifi with fon so I am scr___d !
  absolutely anything appreciated.  I was an IT professional for many years so dont be shy to use technical terms.
  Thanks in advance
  Solved!
  Go to Solution.

  You need to turn off the dhcp on the hh3
  this may help http://forumhelp.dyndns.info/wireless/wirelessmenu.html
  If you like a post, or want to say thanks for a helpful answer, please click on the Ratings star on the left-hand side of the post.
  If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’.

• Win 7 Pro 64 occasionally fails to connect using IKEV2 to Win2008R2 Routing and Remote Access server

  I'm a networking guy and having this troubling VPM issue that I can't find.
  I have a number of VPN connections from my Win7Pro 64 PC to various customers.  Their end points are all Windows Routing and Remote Access on Windows 2008R2 STD servers.
  Every once and a while I will hang at Verifying User ID and Password and eventually get  ERROR 809. Change the security type on my VPN connection from IKEV2 to PPTP - never an issue, connects in right away.
  I can also try from another PC (at the same or alternate location) to get into that same server using the same credentials and access - no issue using either IKEV2 or PPTP.
  This has happened at various times to various customers. Here is what I know it is not:
  - Not the local or remote routers or Firewalls since I can always get in from other PC's going through the same network. Even so, tried rebooting all several times
  - Not an ISP issue at either end since I can always get into other IKEV2 servers from the same PC and from other PC's to the server I can't from my PC.
  This leads to the only logical conclusion.  It is something to do with my Win7Pro 64 PC but for the life of my I can not find it.
  I have obviously tried rebooting the Win7Pro PC. I have also tried recreating the VPN connection several times. Nothing.
  Help!

  Hi,
  I know that you've mentioned that it is not a issue about firewall or router settings, but this error usually comes when some firewall between client and server is blocking the ports used by VPN tunnel.
  so to allow IKEv2 traffic, please make sure to configure the network firewall to open UDP ports 500 and 4500, and to allow IP protocol 50.
  If that is not possible, deploy SSTP based VPN tunnel on both VPN server and VPN client – that allows VPN connection across firewalls, web proxies and NAT
  You can refer to this blog
  http://blogs.technet.com/b/rrasblog/archive/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through.aspx
  Regards
  Yolanda
  TechNet Community Support

• TAC+: TCP/IP open to 10.20.17.2/49 failed -- Connection timed out; remote host not responding

   TACACS+ configured on router and router is in ACS.  I can ping the ACS but the router cannot establish a connection to authenticate users.
  aaa group server tacacs+ hq_acs-1
  server 10.20.17.2
  ip tacacs source-interface GigabitEthernet0/0
  aaa authentication login default group tacacs+ local
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 10 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa accounting nested
  aaa accounting update newinfo periodic 60
  aaa accounting auth-proxy default start-stop group tacacs+
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  aaa accounting resource default start-stop group tacacs+
  BigTree_3945#sh ip int br
  Interface                  IP-Address      OK? Method Status                Protocol
  GigabitEthernet0/0         10.4.3.1        YES NVRAM  down                  down
  GigabitEthernet0/1         10.12.10.26     YES NVRAM  up                    up 
  Serial0/2/0                unassigned      YES NVRAM  down                  down
  Serial0/2/0.602            10.12.15.10     YES NVRAM  down                  down
  Apr 13 11:08:13.673: TPLUS: Queuing AAA Authentication request 79 for processing
  Apr 13 11:08:13.673: TPLUS: processing authentication start request id 79
  Apr 13 11:08:13.675: TPLUS: Authentication start packet created for 79(cisscdb)
  Apr 13 11:08:13.675: TPLUS: Using server 10.20.17.2
  Apr 13 11:08:13.675: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: Started 5 sec timeout
  Apr 13 11:08:18.676: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out
  Apr 13 11:08:18.676: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out, clean up
  Apr 13 11:08:18.676: TPLUS(0000004F)/0/1BDD9C34: Processing the reply packet
  Apr 13 11:08:25.834: TPLUS: Queuing AAA Authentication request 79 for processing
  Apr 13 11:08:25.834: TPLUS: processing authentication start request id 79
  Apr 13 11:08:25.834: TPLUS: Authentication start packet created for 79(cisscdb)
  Apr 13 11:08:25.834: TPLUS: Using server 10.20.17.2
  Apr 13 11:08:25.834: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: Started 5 sec timeout
  Apr 13 11:08:30.836: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out
  Apr 13 11:08:30.836: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out, clean up
  Apr 13 11:08:30.836: TPLUS(0000004F)/0/1BDD9C34: Processing the reply packet
  Apr 13 11:08:43.689: TAC: Using default tacacs server-group "tacacs" list.
  Apr 13 11:08:43.689: TAC+: Opening TCP/IP to 10.20.17.2/49 timeout=5
  Apr 13 11:08:51.057: TPLUS: Queuing AAA Authentication request 79 for processing
  Apr 13 11:08:51.057: TPLUS: processing authentication start request id 79
  Apr 13 11:08:51.057: TPLUS: Authentication start packet created for 79(cisscdb)
  Apr 13 11:08:51.057: TPLUS: Using server 10.20.17.2
  Apr 13 11:08:51.057: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: Started 5 sec timeout
  Apr 13 11:08:54.692: TAC+: TCP/IP open to 10.20.17.2/49 failed -- Connection timed out; remote host not responding
  Apr 13 11:08:54.692: TPLUS: Queuing AAA Accounting request 76 for processing
  Apr 13 11:08:54.692: TPLUS: processing accounting request id 76
  Apr 13 11:08:54.692: TPLUS: Sending AV task_id=332
  Apr 13 11:08:54.692: TPLUS: Sending AV timezone=EDT
  Apr 13 11:08:54.692: TPLUS: Sending AV service=shell
  Apr 13 11:08:54.692: TPLUS: Sending AV start_time=1334329734
  Apr 13 11:08:54.692: TPLUS: Sending AV priv-lvl=15
  Apr 13 11:08:54.692: TPLUS: Sending AV cmd=show logging <cr>
  Apr 13 11:08:54.692: TPLUS: Accounting request created for 76(n20j03t)
  Apr 13 11:08:54.692: TPLUS: Using server 10.20.17.2
  Apr 13 11:08:54.692: TPLUS(0000004C)/1/NB_WAIT/20FD90EC: Started 5 sec timeout
  Apr 13 11:08:56.058: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out
  Apr 13 11:08:56.058: TPLUS(0000004F)/0/NB_WAIT/1BDD9C34: timed out, clean up
  Apr 13 11:08:56.058: TPLUS(0000004F)/0/1BDD9C34: Processing the reply packet
  Apr 13 11:08:59.693: TPLUS(0000004C)/1/NB_WAIT/20FD90EC: timed out
  Apr 13 11:08:59.693: TPLUS(0000004C)/1/NB_WAIT/20FD90EC: timed out, clean up
  Apr 13 11:08:59.693: TPLUS(0000004C)/1/20FD90EC: Processing the reply packet
  BigTree_3945#
  AAA Client IP Address
  10.4.3.* 10.12.15.10
  Key
  Network Device Group
  Test    
  NJT    
  AccessLink    
  (Not Assigned)    
  Authenticate Using
  TACACS+ (Cisco IOS)    
  RADIUS (Cisco Aironet)    
  RADIUS (Cisco BBSM)    
  RADIUS (Cisco IOS/PIX)    
  RADIUS (Cisco VPN 3000)    
  RADIUS (Cisco VPN 5000)    
  RADIUS (IETF)    
  RADIUS (Ascend)    
  RADIUS (Juniper)    
  RADIUS (Nortel)    
  RADIUS (iPass)    
  Single Connect TACACS+ AAA Client (Record stop in accounting on failure).
  The 10.12.10.* range is listed under the HQ site.
  Your help is greatly appreciated.

  You stated that you can ping ACS from the router, did you try sourcing the packets from the GigabitEthernet 0/0 interface (which is the one TACACS+ will try to use, given the configuration that you posted)?
  What does the network path between the router and ACS look like (ie, any firewalls, NAT, etc)?
  Can you connect to port 49 at the ACS IP address from the router sourcing the packets from GigabitEthernet 0/0 ?
  Are you using VRFs?
  What version of IOS?

• New quantam router and connecting to works remote access

  After upgrading to new router my wife cannot connect to her Remote Desktop. Any ideas?

  fossil wrote:
  For Remote Desktop to work, there must an open port in your firewall for it to initiate the communication.  The usual port is 3389, but you can adjust that.  Here are the step-by-step directions at Microsoft: http://windows.microsoft.com/en-us/windows7/allow-remote-desktop-connections-from-outside-your-home-... . If the link doesn't work, Google for "Allow Remote Desktop connections from outside your home network".  
  One side note - the "home" version of Windows 7 and many other older MS Windows versions will NOT allow it to be  a target of Remote Desktop - they can only initiate a Remote Dwesktop session to control  another PC, usually riunning the "Professional" version.  I'm not familiar with the Windows 8,8.1 versions and Remote Desktop.
  This has not changed in Windows 8/8.1. You need the Pro version to run an RDP server on the machine. Fortunately other solutions like Secure VNC and TeamViewer exist.
  ========
  The first to bring me 1Gbps Fiber for $30/m wins!

• I opened the attachment on a malicious email in error on my IPad and have been informed by the genuine company that it will download malware software. Is this possible on my IPad or is there a way of running a security scan to see if it has been infected?

  I received an email that I now know to be malicious and inadvertently opened up the attachment on my IPad that I've been informed will download malware or a virus. Can my IPad be infected this way or does anyone know if there is a way of running a security scan to check if there is a problem? I do have the most up to date IOS software installed.

  There is no anti-malware for iOS, at least none that actually does anything useful. The odds of getting any malware infection via an email attachment on an iOS device is quite low - practically non-existent. Unless you are seeing any issues, there isn't much to do, other than deleting the email and being more cautious in the future.

• I just had an update of Firefox, and next thing I knew, I had a message from "Mozilla Security" telling me it had found "critical process activity on my system and will perform fast scan of system files.

  This is the message in the dialog box that showed up:
  Firefox security alert
  Scanning of your system is currently on, please wait until the end. Your system affected by numerous virus attacks, Mozilla Firefox recommends you to install proper software to protect your computer
  Quick scan system:
  Scan complete
  Number of scanned objects: 3676
  Number of infected objects: 97
  It then directs me to Click "Start Protection" button to erase all threats. If I do that, an install program window pops up with: installInternetDefender_143.exe
  from http://monozsa.ce.ms
  I don't automatically click on those unless I know they are legitimate. I'm just concerned that the security issue came about after I received an update to my Firefox.
  I already have a security program installed on my computer through my internet provider--why would it not have picked up these infected objects? Is this legitimate? It

  The scanning is most likely an animation and not a real scan.<br />
  As long as you didn't download and install that program then you should be safe.
  To be sure you can do a malware check with some malware scanning programs.<br />
  You need to scan with all programs because each program detects different malware.<br />
  Make sure that you update each program to get the latest version of their databases before doing a scan.<br />
  * http://www.malwarebytes.org/mbam.php - Malwarebytes' Anti-Malware
  * http://www.superantispyware.com/ - SuperAntispyware
  * http://www.microsoft.com/windows/products/winfamily/defender/default.mspx - Windows Defender: Home Page
  * http://www.safer-networking.org/en/index.html - Spybot Search & Destroy
  * http://www.lavasoft.com/products/ad_aware_free.php - Ad-Aware Free
  See also:
  * "Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked