06-17-2007 04:04 PM - edited 03-11-2019 03:31 AM
Hi,
I have a Pix 515 which is runnig slow, it has high cpu utilisation, im not sure if this is due to the number of connections it currently has, which to me dont seem to be being cleared down.
Please could someone offer some advice, thanks
I have attatched some output which i hope will help.
Thanks
Stu
06-18-2007 03:14 PM
Definitly looks to me like a DoS attack. You are over your supported max connections for the 515 which would be about 130000. Between the DNS connections and the Mail connections its hard to tell what the root cause is. I would look at an internal host possibly trying to send spam. Maybe a better look at the connections table. At this point I would clear connections and xlates. I imagine you are already impacted. How may users do you have on your network? Which version code? Wouldnt hurt setting max conns and half open limits to help stop this in the future. My best guess is a machine has a virus on your network. After a clear conn you should be able to see with another sh conn possibly who is causing the traffic. May also want to look at logs to see if you have multiple denies on high ports. If you dont have your firewalls rules base locked down I would also do so to limit the amount of connections being established by dropping unwanted traffic.
06-26-2007 04:27 PM
I ended up rebooting the Pix to resolve this, and the sysptoms went away for about 5 days, yesterday it popped up again, it had been fine in the five days since.
From looking at the connections, i noticed that though there were still alot of embryonic connections even those which were established the idel time was very high, i thought that the setting on the timeout command should enforce a clearing of these.
My timeout command has TCP set to 1 hour but some of these were alot higher.
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
sample conn table
TCP out x.x.x.x:25 in mailmarshal:8932 idle 9:22:19 Bytes 0 flags saA
TCP out z.z.z.z:25 in mailmarshal:13397 idle 72:46:04 Bytes 0 flags saA
UDP out a.a.a.a:53 in vlbsps02:5359 idle 25:28:11 flags D
TCP out b.b.b.b:25 in mailmarshal:19133 idle 61:55:25 Bytes 0 flags saA
TCP out c.c.c.c:80 in webmarshal:4279 idle 22:43:48 Bytes 1932 flags UfFRIO
Thanks in advance
no embryonic limits set and version 6.2(1) of the code.
With regards to the embryonic connections how do you know what value to set this too ?
Stu
06-26-2007 04:36 PM
Check this out. I would say its time to upgrade! The bug is listed as fixed. I would upgrade to 6.3(5)
CSCee07961 Bug Details Bug #2 of 6 |
A PIX running software version 6.2(3) may experience orphaned
connections which are not bound to any xlate or local-host entries.
The "Hosts conn cleaner" will show excessive CPU time and other
lower priority processes will be starved of CPU time.
This condition can be determined by doing "sh conn count" and
comparing it with the output of "sh local-host". If the conn count is high,
the number of actual connections listed in the local-host table will be
much lower if this condition exists. Immediately after a "cle xlate"
and "cle local-host" there will be many connections which have high idle times.
Workaround:
Reload the PIX
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: