We currently were a Palo Alto GlobalProtect VPN shop. Now we just rollout ZPA to replace it. One of the issue we are running into is when our remote user try to access our AWS RDS MySQL server, it is maxing out the threshold of allow “max_connect_error” from a given host/source (Zscaler Connector). We don’t have this issue while running on GPVPN. The default allowed “connect_max_error” within RDS is set to 100. for now we have increase it to 10,000; but our Cybersec does not like it do to a security risk.
For the time being, our database team would have to go an flush the connection via the command below to restore access back to our remote users on ZPA.
This parameter indicates how many connection errors are possible before the server blocks a host. If more than
max_connect_errors successive connection requests from a host are interrupted without a successful connection, the server blocks that host from further connections. The default value is 100 and can be tuned to your security requirements and environment.
For example, if
max_connect_errors=5000 , after 5,000 connection requests from Host X are interrupted you get an error like the following:
Host X is blocked because of many connection errors ().
Unblock the host using the following command:
mysql> flush hosts;