.

sh conn count = 13497 in use, 13589 most used

The conn count is always rising, so in a few hours time, it will be higher than the above.

Cisco PIX Security Appliance Software Versio

Device Manager Version 5.0(1)

Compiled on Thu 31-Mar-05 14:37 by builders

System image file is "flash:/image"

Config file at boot was "startup-config"

smb-fw2 up 10 hours 58 mins

Hardware: PIX-515E, 64 MB RAM, CPU Pentium

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : media index

1: Ext: Ethernet1 : media index

Licensed features for this platform:

Maximum Physical Interfaces : 3

Maximum VLANs : 10

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : Unlimited

This platform has a Restricted (R) license.

xlate count = 47 in use, 47 most used

Do you want all of "sh conn detail" ?

Also is it safe to bump up the RAM in a PIX similar to the above to say 192MB ? will this have any side effects ?

Thanks

Ali

13497 in use?? how many users were connected at this time..do you think there these many connections are valid ?

moreover you running code 7.x , I would suggest you to go up to 128 MB RAM

Its hard to say how many users, as we host quite a few servers, but the number 13497 is beyond what we expect.

Thats what we think is causing the memory to run out. The total number of connections is rising but not dropping when connections are dropped, hence using up our memory.

Yes we have 7.x, can i assume its ok on our restricted licence to stick in 128MB RAM ?

Any ideas on how to drop the number of connections ? At present "sh conn count" is 17703 in use, 17743 most used !!

Thanks for your help.

Ali

hmm..get me the following :-

1)exact version ?

2)sh run timeout

3)sh conn

3)sh conn detail (not the entire , but few lines that shows me the idle connections lying there)

Version : 7.0(1)

sh run timeout :

timeout xlate 999:59:59

timeout conn 99:59:59 half-closed 99:59:59 udp 99:02:00 icmp 0:00:02

timeout sunrpc 99:10:00 h323 999:59:59 h225 999:59:59 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 99:59:59 sip_media 0:02:00

timeout uauth 99:05:00 absolute

sh conn :

TCP out aa.bb.cc.dd:25663 in server1:25 idle 2:44:57 bytes 114 flags UfrOB

UDP out aa.bb.cc.dd:4623 in server1:53 idle 10:30:15 flags -

UDP out aa.bb.cc.dd:4600 in server1:53 idle 10:30:17 flags -

UDP out aa.bb.cc.dd:4561 in server1:53 idle 10:30:19 flags -

UDP out aa.bb.cc.dd:4530 in server1:53 idle 10:30:20 flags -

UDP out aa.bb.cc.dd:4498 in server1:53 idle 10:30:22 flags -

UDP out aa.bb.cc.dd:4463 in server1:53 idle 10:30:24 flags -

UDP out aa.bb.cc.dd:20462 in server1:53 idle 11:19:49 flags -

TCP out aa.bb.cc.dd:60039 in server2:143 idle 11:02:43 bytes 2752 flags UfIOB

TCP out aa.bb.cc.dd:60034 in server2:143 idle 11:02:42 bytes 9082 flags UfIOB

TCP out aa.bb.cc.dd:3241 in server3:25 idle 5:53:57 bytes 769 flags UfIOB

TCP out aa.bb.cc.dd:30062 in server5:80 idle 3:31:53 bytes 10868 flags UfIOB

TCP out aa.bb.cc.dd:30061 in server5:80 idle 3:33:32 bytes 4706 flags UfIOB

TCP out aa.bb.cc.dd:30060 in server5:80 idle 3:33:31 bytes 7458 flags UfIOB

TCP out aa.bb.cc.dd:30055 in server5:80 idle 3:33:26 bytes 16249 flags UfIOB

TCP out aa.bb.cc.dd:30054 in server5:80 idle 3:33:30 bytes 8498 flags UfIOB

where aa.bb.cc.dd are various IP addresses and serverX relates to servers behind the firewall

Thanks Ashish

I got it..you have idle conn timeout/xlate timeout set as 999 hours and 99 hrs,not recommened at all, which is causing the stale idle connections to eat up the memory..

so put these commands in

clear loc

timeout conn 1:0:0

timeout xlate 3:0:0

PS:- Please rate all the posts if they were helpful, so that others could refer to this

I put the commands in and got the following error:

xlate timeout 3:00:00 cannot be les than the uauth timeout 99:05:00

Usage: timeout [xlate:conn:udp:icmp:sunrpc:h323:mgcp:sip:sip_media:uauth [...]]

Also just for my info - what does "clear loc" do?

What about the timeouts for the rest of the things such as UDP etc ?/

I will certainly rate all your posts, you have been very helpful. Thanks again

Ali

sh run timeout now shows as follows:

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 99:59:59 udp 99:02:00 icmp 0:00:02

timeout sunrpc 99:10:00 h323 999:59:59 h225 999:59:59 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 99:59:59 sip_media 0:02:00

timeout uauth 0:05:00 absolute

Can you please advise if the rest of the parameters are set ok ? Also in ASDM the "Connection" check box is NOT ticked under Configuration-> Features -> Properties -> Advanced -> Timeouts. Should this be the case ? the time is greyed out at 01:00:00.

you have been very helpful, i would highly appreciate if you can answer the above questions. Otherwise i think you have resolved my case, for which i am very grateful to you.

Thanks

Ali

OK I have done that now, and the firewall looks much healthier now. All the check boxes in ASDM are clear (ie un ticked) in "Timeout" settings - should this be the case ?

Sorry this is my final question and then i will close the case at my end. I would appreciate your response to this.

Thanks

Ali

All the check boxes in ASDM are clear (ie un ticked) in "Timeout" settings - should this be the case ?

--yes