Came across this one today as an ASA that I look after started reporting ‘Resource ‘conns’ limit of 10000 reached for system’. Turns out this is a TCP session limit that’s being hit and at least in my case was a TCP SYN Flood attack. By running the following you can find out how many open sessions there currently are on the ASA:
ciscoasa# show conn count 1941 in use, 3739 most used
The above is a pretty sane amount but the maximum is 10000 so to incorporate some ‘basic’ TCP syn flood protection you can restrict the maximum amount of half-open TCP connections as follows:
class-map SYN_Prevention match any ! policy-map global_policy class SYN_Prevention set connection embryonic-conn-max 1000 per-client-embryonic-max 30
The above basically configures your ASA to permit a maximum of 1000 ‘half-open’ tcp sessions at a time globally and a per client maximum of 30 (per end user ip address).
Hope this helps:)
Jay