Pix 501 connection problem

ccosper08 · ‎08-22-2008

I have setup two pix 501 running OS version 6.3(5) with a 10 user license between two offices conencted via DSL. Traffic flows both ways as intended. However, occasionaly I have a problem where I cannot remote onto any machine at the remote office from my main office using various methods (remote desktop, vnc, pcanywhere, etc) or access network shares. I can ping these machines and I do receive replies. Why would icmp work and not anything else? The only way I have found to restore the connection is to reboot (reload) the pix at my main office. As soon as it comes back up the connections work. Could this be a licensing issue as I have only 10 licenses. When I do sh conn from the console it shows 23 in use 43 most used on the pix at my office and 27 in use 71 most used at the remote office. Does this indicate that I am over the limit? Could this be my problem. I need to get this fixed asap as rebooting the pix kicks the remote users off for a few seconds. Are their any other commands I can use to figure out the problem? Any help would be greatly appreciated

andrew.prince · ‎08-22-2008

the show conn command - can show multiple connections from the same machine.

if you have a switch at the sites - see how many mac addresses are present, also if there are any unauthorised "hubs" attached.

At the end of the day - the licensing is for known ip addresses on the inside interface. do a show arp on the firewall to see how many ip's are actually known?

ccosper08 · ‎08-22-2008

At the main office I count 1 outside ip address and 14 inside. At the remote office I count 1 outside and 10 inside. Does this mean I need to buy 50 license upgrade for both locations? Thanks again...

andrew.prince · ‎08-22-2008

Yep - upgrade the licenses - or if you have a spare router with 2 interfaces to hand...place in-line and NAT!! ;o)

HTH>

ccosper08 · ‎08-22-2008

So would this be causing the icmp packets to flow but not any others? Also how do you upgrade the license?

Thanks again...

andrew.prince · ‎08-22-2008

Only resources from indside interface to the outside interface hits the license requirements, I don't think icmp is considered.

You have to purchase more licenses, then add the license key to the firewall.

HTH>

ccosper08 · ‎08-22-2008

Yes I can purchase a license from my distributor but once I get it how to I install it on the pix. Thanks again...

andrew.prince · ‎08-22-2008

You will recevie a PAK code, you convert the PAK code to a licence key at www.cisco.com/go/license

Then input the emailed key on your pix:-

activation-key xxxx-xxxx-xxxx

ccosper08 · ‎08-28-2008

Well I received my unlimited user license for the main PIX and the 50 user license for one of the remote offices. I added the activation key and everything went according to plan. I notice when I do a sh ver that it shows IKE peers is 10. Is this anything to be concerned about? When I do a sh crypto isakmp sa from the main pix at my office it shows the two remote offices (two lines with a unique ip) that I have connected and each ip has a column that says created 3. Does that mean that I have 6 in use?