Hi all,
On a PIX-515 running v7.2(1) a continuous large amount of packets are beeing dropped because of exceeding the embryonic counter limit currently set to 500. Although lot's of connections are beeing dropped, no enduser complaint's are yet reported. Nevertheless I need verify this in order to understand what's going in the network and also get to know the behaviour of the PIX itself better. During the problem analysis I discovered a strange behaviour I don't really understand. Maybe it is like this by design.
The PIX is dropping connection requests initiated from outside to internal clients which are prohibited by the ruleset (ACL). Actually this is ok and wanted. For me the strange thing is that it is dropping this connection requests with the "embryonic session limit" feature and not with the ACL deny statement. Additionally the PIX is also dropping legitimate TCP connections using this mechanism.
Is this by design wanted and to be seen as a normal behaviour ? Does the PIX dropping any further session requests once the embryonic counter limit has been reached before checking the ACLs ?
Roland