In Kerio Control Configuration ->Traffic Policy -> Security Settings -> Miscellaneous, you'll find a setting for "Connection Limit". That puts a limit on connections and by default it is set to 600. That means that if a machine in your network tries to have more than 600 connections to machines on the Internet, it gets blocked.
Note that this is connections in either direction: outgoing or incoming.
That's a pretty generous limit, as any machine with that many connections may be up to no good. If the connections are legitimate, you are probably already well aware of exactly what those connections are and why that machine needs to make them. In that case, you either need to raise the limit or put a public interface on that machine that doesn't go through the firewall (it's not currently possible to have any exceptions for this limit or to define individual limits for certain machines).
What if there isn't any reason that you know of for this machine to be so active? You suddenly get this and have no idea why:
As noted, this could be bad news. It could indicate a virus on the misbehaving computer, or it could mean that someone on the outside is trying to cripple you by deliberately making useless connections.
Or, it might just be something you forgot about.
In the two most recent cases where I've seen this, that was the case. In both cases, the customers were using Microsoft Domain Controllers and some or all machines were looking to there for DNS. That machine in turn was going out to the Internet to resolve the requests and although neither customer has anything even approaching 600 users, connections last long enough and come quickly enough that now and then the connection limit was reached.
Aside from the alert, this also means that some DNS request failed, though apparently it didn't happen often enough that anyone complained. Probably the affected user was momentarily puzzled and when they tried again, enough older connections had timed out that it went through, so they shrugged their shoulders and got on with their work (or whatever they were doing instead of work).
The solution is simple enough: tell the Domain Controller (or the individual machines) to look up DNS at the Kerio Control box. That isn't an outgoing or incoming connection, so the connection limit counter isn't affected.
Got something to add? Send me email.
Increase ad revenue 50-250% with Ezoic
More Articles by Anthony Lawrence
Find me on Google+
© 2013-06-12 Anthony Lawrence