Re: Concurrent connections for PIX
From: Michael Janke (jankemi.remove@mail.com)Date: 03/16/02
- Next message: NT Canuck: "Re: What is the best firewall around?"
- Previous message: wailakig: "Re: BUYER BEWARE: SonicWALL Support Problems"
- In reply to: Ross: "Re: Concurrent connections for PIX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Michael Janke <jankemi.remove@mail.com> Date: Sat, 16 Mar 2002 17:34:16 GMT
Ross wrote:
> I'm aware that there can be multiple connections on a single website.
> How is that possible though? If each one of those connections was
> ONLY 1 bit (which is being VERY conservative) then I don't know how
> you'd be able to 40k connections on a 10Mbps line. This is what lead
> me to ask my question--
>
> Even with connections opening and closing 40,000 connections at a
> given time would be HUGE. I'm talking about CONCURRENT CONNECTIONS
> actively being used at the same time in accordance with RFC 2647.
>
> When I refer to a concurrent connection I mean 5,000 people going out
> to a website at the same exact moment all opening up a web page-- this
> would generate between 20,000 and 40,000 concurrent connections.
>
> In an old PIX doc (1998), Cisco says that the product supports
> something like 16,000 concurrent connections which would be more than
> enough for a T3 with several hundred thousand users.
>
>
We had a dormatory complex with about 2000 student PC's. The PC's were
NAT'd with a Cisco 3640. We 'broke' the 3640 when the number of NAT
traslations hit about 40,000. Cisco TAC was unable to solve the problem.
We are now using another NAT device.
I did not get a chance to measure & observe the problem, as the campus
swapped out the router before I got to look at it. I'm assuming that the
students generated a large number of sessions with applications that you
would not find on your corperate network. Because the students in the
dorms are paying the full cost of their bandwidth we do not have
restrictions on file sharing, p2p, gaming, etc. A single user running a
combination of various sharing & gaming apps could easily have dozens of
simultanious connections, especially if the stuff they are sharing is in
demand by the Internet community.
The other issue we had is with UDP. There is no such thing as a UDP
session, so the only way a firewall or NAT device can determine the end
of a UDP 'session' is with simple timers. If you shorten the timers you
will break stuff, if you lengthen them you will have a higher session
count. I suspect that the campus did not look into that aspect of the
problem (though Cisco TAC was consulted several times over a serveral
week period). I'm guessing that they could have shortened the timeout on
UDP sessions & cut down of the session count. Because the campus didn't
sniff the traffic & really deterine what was happening, it is also
possible that the students were doing some port scanning or other
activity that drove up the session count. The other possibility is that
the 3640 did not close the NAT session properly when the TCP session
closed. We can't verify this though.
A more typical ratio for us is somewhere between 2-5 peak simultainious
sessions per PC, with most sites near the lower number. We engineer for
10 sessions per PC. That campus saw a peak of 20 sessions per PC.
As an irrelavent aside, we had a hacked PC launch a DOS attack from
within a campuses network. The PIX 525 at the border showed 400,000 open
sessions. The PIX worked fine, but the 3640 that connects it to our WAN
was suffering pretty badly.
-- ----------------------------------------- Michael Janke Director, Network Services Minnesota State Colleges and Universities -----------------------------------------
- Next message: NT Canuck: "Re: What is the best firewall around?"
- Previous message: wailakig: "Re: BUYER BEWARE: SonicWALL Support Problems"
- In reply to: Ross: "Re: Concurrent connections for PIX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
