ICMP through the PIX

Unanswered Question
Jul 3rd, 2007
User Badges:

Hello.


I am doing pre-deployment testing for 7.2 on a PIX535. I started pumping engineered ICMP traffic from IXIA at 75MB and 64 frame size just for traffic flow validation (allowed via ACL). For some reason, the CPU spiked to 99%. I was under the impression that every echo-request/echo-reply from the IXIA is considered as one session thus really busy-ing up the PIX CPU. When I checked the PIX, there were only 2 connections.


Does anybody have any idea?


Thanks.


Sping

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Tue, 07/03/2007 - 14:17
User Badges:
  • Green, 3000 points or more

it could be anything internally or externally, look at the firewall logs and see if you have multiple denies with high tcp ports for inbound traffic.


did you do " show conn " and verified in fact you have just 2 connections? if just two connections can you track these internal connections?

espmolina Thu, 07/05/2007 - 05:19
User Badges:

"show conn" does show 2 connections and is coming from the IXIA to remote destination. I was thinking that it probably is the limitation of the PIX. I am pumping 148,800 frames per seconds of ICMPs and every one of those frames will go through the PIX CPU. Does anybody know what is the pps limitation of the PIX535? I have a VAC+ installed on the PIX.


Thanks.

JORGE RODRIGUEZ Thu, 07/05/2007 - 13:13
User Badges:
  • Green, 3000 points or more

can you post a short text from the pix logs on the icmps, sounds like DoS , does the logs shows the icmps allowed or icmp unreachable..


can you indentify the connectios comming from the IXIA, it could be a host on that end sending spam..

Actions

This Discussion