Forum Discussion

darrenclegg_199's avatar
darrenclegg_199
Icon for Nimbostratus rankNimbostratus
Mar 06, 2018

LTM excessive connections on Virtual Server

My Virtual Server is showing 460 connections but the pool members aare only showing 50 connections. I have checked the source addresses of these connections and they are all different. I have deleted...
connections
LTM
security
Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Mar 06, 2018

Connections can be deleted as follows from the command line 

tmsh delete sys connection cs-server-addr i.i.i.i cs-server-port pn
. Replace 
i.i.i.i
with IP address of the virtual server and 
pn
with port number of virtual server. This will delete all client-side connections to a particular Virtual Server.

If the connections are re-initiated, you need to do more investigation. It could be a DOS attack that aims to exhaust your connection tables. If so, consider reducing TCP idle timeout value in the profile that is applied to your Virtual Server. Alternatively, just block malicious source IP addresses at your perimeter firewall.

Sometimes poor monitoring systems can cause connection over-flooding, and sometimes security scans can do the same. But if there are 400+ unique IP addresses that are not doing any meaningful activity, it's most likely an attack.