ICMP through the PIX

espmolina · ‎07-03-2007

Hello.

I am doing pre-deployment testing for 7.2 on a PIX535. I started pumping engineered ICMP traffic from IXIA at 75MB and 64 frame size just for traffic flow validation (allowed via ACL). For some reason, the CPU spiked to 99%. I was under the impression that every echo-request/echo-reply from the IXIA is considered as one session thus really busy-ing up the PIX CPU. When I checked the PIX, there were only 2 connections.

Does anybody have any idea?

Thanks.

Sping

JORGE RODRIGUEZ · ‎07-03-2007

it could be anything internally or externally, look at the firewall logs and see if you have multiple denies with high tcp ports for inbound traffic.

did you do " show conn " and verified in fact you have just 2 connections? if just two connections can you track these internal connections?

Jorge Rodriguez

espmolina · ‎07-05-2007

"show conn" does show 2 connections and is coming from the IXIA to remote destination. I was thinking that it probably is the limitation of the PIX. I am pumping 148,800 frames per seconds of ICMPs and every one of those frames will go through the PIX CPU. Does anybody know what is the pps limitation of the PIX535? I have a VAC+ installed on the PIX.

Thanks.

JORGE RODRIGUEZ · ‎07-05-2007

can you post a short text from the pix logs on the icmps, sounds like DoS , does the logs shows the icmps allowed or icmp unreachable..

can you indentify the connectios comming from the IXIA, it could be a host on that end sending spam..

Jorge Rodriguez