Pix 515 - CPU and Connection High

Unanswered Question
Jun 17th, 2007

Hi,

I have a Pix 515 which is runnig slow, it has high cpu utilisation, im not sure if this is due to the number of connections it currently has, which to me dont seem to be being cleared down.

Please could someone offer some advice, thanks

I have attatched some output which i hope will help.

Thanks

Stu

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JBDanford2002 Mon, 06/18/2007 - 15:14

Definitly looks to me like a DoS attack. You are over your supported max connections for the 515 which would be about 130000. Between the DNS connections and the Mail connections its hard to tell what the root cause is. I would look at an internal host possibly trying to send spam. Maybe a better look at the connections table. At this point I would clear connections and xlates. I imagine you are already impacted. How may users do you have on your network? Which version code? Wouldnt hurt setting max conns and half open limits to help stop this in the future. My best guess is a machine has a virus on your network. After a clear conn you should be able to see with another sh conn possibly who is causing the traffic. May also want to look at logs to see if you have multiple denies on high ports. If you dont have your firewalls rules base locked down I would also do so to limit the amount of connections being established by dropping unwanted traffic.

stuart.jones Tue, 06/26/2007 - 16:27

I ended up rebooting the Pix to resolve this, and the sysptoms went away for about 5 days, yesterday it popped up again, it had been fine in the five days since.

From looking at the connections, i noticed that though there were still alot of embryonic connections even those which were established the idel time was very high, i thought that the setting on the timeout command should enforce a clearing of these.

My timeout command has TCP set to 1 hour but some of these were alot higher.

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

sample conn table

TCP out x.x.x.x:25 in mailmarshal:8932 idle 9:22:19 Bytes 0 flags saA

TCP out z.z.z.z:25 in mailmarshal:13397 idle 72:46:04 Bytes 0 flags saA

UDP out a.a.a.a:53 in vlbsps02:5359 idle 25:28:11 flags D

TCP out b.b.b.b:25 in mailmarshal:19133 idle 61:55:25 Bytes 0 flags saA

TCP out c.c.c.c:80 in webmarshal:4279 idle 22:43:48 Bytes 1932 flags UfFRIO

Thanks in advance

no embryonic limits set and version 6.2(1) of the code.

With regards to the embryonic connections how do you know what value to set this too ?

Stu

JBDanford2002 Tue, 06/26/2007 - 16:36

Check this out. I would say its time to upgrade! The bug is listed as fixed. I would upgrade to 6.3(5)

CSCee07961 Bug Details Bug #2 of 6 |

A PIX running software version 6.2(3) may experience orphaned

connections which are not bound to any xlate or local-host entries.

The "Hosts conn cleaner" will show excessive CPU time and other

lower priority processes will be starved of CPU time.

This condition can be determined by doing "sh conn count" and

comparing it with the output of "sh local-host". If the conn count is high,

the number of actual connections listed in the local-host table will be

much lower if this condition exists. Immediately after a "cle xlate"

and "cle local-host" there will be many connections which have high idle times.

Workaround:

Reload the PIX

Actions

This Discussion