Kerio Control Connection Limit Reached Alert


2013/06/12

In Kerio Control Configuration ->Traffic Policy -> Security Settings -> Miscellaneous, you'll find a setting for "Connection Limit". That puts a limit on connections and by default it is set to 600. That means that if a machine in your network tries to have more than 600 connections to machines on the Internet, it gets blocked.

Note that this is connections in either direction: outgoing or incoming.

That's a pretty generous limit, as any machine with that many connections may be up to no good. If the connections are legitimate, you are probably already well aware of exactly what those connections are and why that machine needs to make them. In that case, you either need to raise the limit or put a public interface on that machine that doesn't go through the firewall (it's not currently possible to have any exceptions for this limit or to define individual limits for certain machines).

What if there isn't any reason that you know of for this machine to be so active? You suddenly get this and have no idea why:

Keri Connection Limit Alert message.

As noted, this could be bad news. It could indicate a virus on the misbehaving computer, or it could mean that someone on the outside is trying to cripple you by deliberately making useless connections.

Or, it might just be something you forgot about.

In the two most recent cases where I've seen this, that was the case. In both cases, the customers were using Microsoft Domain Controllers and some or all machines were looking to there for DNS. That machine in turn was going out to the Internet to resolve the requests and although neither customer has anything even approaching 600 users, connections last long enough and come quickly enough that now and then the connection limit was reached.

Aside from the alert, this also means that some DNS request failed, though apparently it didn't happen often enough that anyone complained. Probably the affected user was momentarily puzzled and when they tried again, enough older connections had timed out that it went through, so they shrugged their shoulders and got on with their work (or whatever they were doing instead of work).

The solution is simple enough: tell the Domain Controller (or the individual machines) to look up DNS at the Kerio Control box. That isn't an outgoing or incoming connection, so the connection limit counter isn't affected.



Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Kerio Control Connection Limit Reached Alert




Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence



Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





There's no obfuscated Perl contest because it's pointless. (Jeff Polk )

Computers have been taught to distrust each other and will reject attempted connections most of the time. Nowadays, most computers and firewalls are utterly rude about it: it would be like asking someone to dance and having them ignore you as though you were invisible and inaudible. (Tony Lawrence)







This post tagged: