Preview Tool

Cisco Bug: CSCta10038 - DOC: 'Inspection Limitations' needs to mention child connection limits

Last Modified

Nov 08, 2016

Products (2)

  • Cisco ASA 5500-X Series Firewalls
  • Cisco ASA 5580 Adaptive Security Appliance

Known Affected Releases

7.0 7.1 7.2 8.0

Description (partial)


This is a DOCUMENTATION bug only.

With fix of CSCsl95244 we limited number of simultaneous child connections over a single parent connection to 200. This affects any application being inspected by firewall over which multiple secondary connections are opened. For example, over a single FTP port 21 connection, there can be maximum 200 simultaneous active data connections. Any request for 201st data-connection will be dropped by firewall and following syslog will be generated-

%ASA-3-507003: The flow of type protocol from the originating 
interface: src_ip/src_port to dest_if:dest_ip/dest_port terminated by inspection 
engine, reason - inspector drop reset.

This needs to be documented on the configuration guides under 'Inspection Limitations' heading of 'Configuration Guide > Configuring the Firewall > Applying Application Layer Protocol Inspection'.


Documentation is incomplete.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.