Connection numbers limition in Pix firewall 515/ vers.6.3(3)

Unanswered Question
Feb 2nd, 2006
User Badges:

Hi,

Is there a limition for number of connection in Pix firewall? If so, what happen if the pix reachs the limition. It seem to my pix (PIX-515, 32 MB RAM)cut the connection to the Internet every time it gets to busy.


Tanks a lot

Sfanayei

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Thu, 02/02/2006 - 08:15
User Badges:
  • Red, 2250 points or more

yeah sfanayei... each PIX can perform only upto certain number of concurrent connections.. for eg.. PIX 515 E can support upto 130000 concurrent connections... pix 525 can support 280000 connections... when this value is reached, the pix might either hang/go down or drop any new connections.... normally a PIX model should be selected keeping into mind the max concurrent connections, by seeing the total number of users on the inside and the applications they access.....


hope this helps... all the best... rate replies if found useful..


Raj

sheldex Thu, 02/02/2006 - 12:10
User Badges:

Hi Raj I just want to ask a few more questions re the 515e


I am setting up a new company at the moment and its going to be an online business. We have a HA pair of 515e and i am bit worried about how much traffic it can take.


the infrastructure at the moment is going to be in a Datacentre and a 10mb pipe will be connected to the pix for incoming users.


the question is can you explain what happens to the pix if someone logs onto the website with regards to session or connections (is there a diff?) i.e what is considered a session, concurrent session and silmultaneous connection? Also is the 130K per sec or is it at any one time. Can you have different session in 1 connection?


We will be marketing the business so we estimate we might have 1million users on the site over a 8hr period or maybe 200000 at peak times over maybe a 10 min period. Would the pix 515e be able to handle that? If not which one of the pix could? as well as.

when a connection is dropped what kind of error does a user get? can we show them a holding page etc.?

What does an accelarator card do.?

I understand that the figure of 130K is based on the uplink ports on the Pix. So if the pix have 2 ports its really 65000 concurrent conx it can accomodate?


Can you give me a feedback on the above as well as some documentation that could enlighten me.


thanks

sachinraja Thu, 02/02/2006 - 21:04
User Badges:
  • Red, 2250 points or more

uff... too many questions !!! nyway, will try to answer some of em...


There is a big difference between translations & connections/sessions... translation depicts layer 3 and connection depicts layer 4 state information in PIX. consider an user 10.0.0.1 going out with an ip address 192.168.1.1. in this case, he will have only one translation which is 10.0.0.1->192.168.1.1 , but can have multiple connections, which depends on the sessions he is trying to open. eg, if he opens yahoo, he will have a connection, for some other website, he might have another connection and so on... But he will have only one translation...


concurrent connections, is the number of tcp/udp connections maintained in the PIX at any time. for eg, if the present connections is 7800, and incase any user opens a webpage or application, it will become 7801 and so on... it is not calculated per second, it is an aggregate value at any point of time..


when the concurrent connection fills out, any user trying to open a connection, will not be allowed to traverse the PIX, because any traffic passes through the PIX only if the connection entry exists. thats the way pix works. but practically, i think the pix might hang when such huge traffic flows through it. when the total no of connection exceeds the value, the memory in the PIX will be fully utilised and the PIX might hang...


depending on this, you can choose a pix firewall series. just see the no of users and see what type of applications they will use. for eg if the total no of users is 100, you can very well go for PIX 515 E beecause no way is a user going to use 1800 connections (total conn 180000).. you need to calculate like this. i guess if your network is big, you can go for a PIX 525 or 535....


Hope this helps.. all the best.. rate replies if found useful...


Raj

sfanayei Fri, 02/03/2006 - 01:00
User Badges:

Hi,


Tanks for your reply. And I think, how can I debug the problem?



Regards

Shahryar Fanayei

sachinraja Fri, 02/03/2006 - 05:42
User Badges:
  • Red, 2250 points or more

hello,


you can give a "show conn" and see the output. show xlate will show you the translation table. See the normal values of show conn and sh xlate and compare when you have a problem.. if the values are too high , when compared with normal values, you have to see what the problem is.. you can probably have a sniffer or IPS appliance to track this and block ...


hope this helps... all the best...


Raj

Actions

This Discussion