Cisco Bug: CSCta10038 - DOC: 'Inspection Limitations' needs to mention child connection limits
Nov 08, 2016
- Cisco ASA 5500-X Series Firewalls
- Cisco ASA 5580 Adaptive Security Appliance
Known Affected Releases
7.0 7.1 7.2 8.0
Symptom: This is a DOCUMENTATION bug only. With fix of CSCsl95244 we limited number of simultaneous child connections over a single parent connection to 200. This affects any application being inspected by firewall over which multiple secondary connections are opened. For example, over a single FTP port 21 connection, there can be maximum 200 simultaneous active data connections. Any request for 201st data-connection will be dropped by firewall and following syslog will be generated- %ASA-3-507003: The flow of type protocol from the originating interface: src_ip/src_port to dest_if:dest_ip/dest_port terminated by inspection engine, reason - inspector drop reset. This needs to be documented on the configuration guides under 'Inspection Limitations' heading of 'Configuration Guide > Configuring the Firewall > Applying Application Layer Protocol Inspection'. Conditions: Documentation is incomplete.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases